VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 8, 2008· Updated Apr 23, 2026

CVE-2007-6388

CVE-2007-6388

Description

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Apache HTTP Server mod_status via unspecified vectors, exploitable when server-status is enabled, affecting versions 1.3.2 through 2.2.6.

Vulnerability

CVE-2007-6388 is a cross-site scripting (XSS) vulnerability in the mod_status module of the Apache HTTP Server. The flaw is present in versions 1.3.2 through 1.3.39, 2.0.35 through 2.0.61, and 2.2.0 through 2.2.6. The vulnerability exists when the server-status page is enabled, allowing remote attackers to inject arbitrary web script or HTML via unspecified vectors [1][2][3].

Exploitation

An attacker only needs network access to the Apache server with mod_status and the server-status page enabled. No authentication or special privileges are required. The attacker can craft a specially crafted request to the server-status page, which reflects malicious script or HTML back to the user's browser without proper sanitization. The exact input vector is unspecified in the available references, but typical XSS exploitation involves injecting script through URL parameters or HTTP headers processed by mod_status [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser when viewing the server-status page. This can lead to session theft, credential harvesting, or other client-side attacks. The impact is considered moderate as it requires user interaction (accessing the status page) and does not directly compromise the server itself [1][4].

Mitigation

The vulnerability is fixed in Apache HTTP Server versions 2.2.8 (released December 2007) and later [1], and in 2.0.63 (released 2008) [2]. For the 1.3 branch, which is end-of-life, no fix was released; users are advised to upgrade to a supported version [3]. IBM HTTP Server users can apply Interim Fix PK65782 for version 2.0.47 [4]. If patching is not possible, disable mod_status or restrict access to the server-status page via configuration (e.g., using Location directives with Require ip).

References
  1. Apache HTTP Server 2.2 vulnerabilities
  2. Apache HTTP Server 2.0 vulnerabilities
  3. Apache HTTP Server 1.3 vulnerabilities
  4. PK65782; 2.0.47.1: IBM HTTP Server V2.0.47 Cumulative Interim Fix

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

94

News mentions

0

No linked articles in our index yet.