CVE-2008-0455
Description
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS in Apache HTTP Server's mod_negotiation; a crafted filename can inject script into 406/300 error responses.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the mod_negotiation module of Apache HTTP Server versions 2.2.6 and earlier (2.2.x series), 2.0.61 and earlier (2.0.x series), and 1.3.39 and earlier (1.3.x series). When a remote authenticated user uploads a file whose name contains XSS sequences and a file extension, and another user requests the file without the extension, the server may return a 406 Not Acceptable or 300 Multiple Choices HTTP response that reflects the malicious filename, injecting arbitrary web script or HTML.
Exploitation
An attacker must have valid credentials to upload a file to a location served by Apache with mod_negotiation enabled. The attacker uploads a file with a name such as .txt. When a victim requests the file without the extension (e.g., /path/), the server's negotiation process triggers a 406 or 300 response that includes the unsanitized filename in the HTTP body, causing the browser to execute the injected script.
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the response page. This can lead to session hijacking, credential theft, or defacement, all within the security context of the affected Apache server domain. The attack requires the victim to visit a crafted URL and the server to have mod_negotiation enabled.
Mitigation
Apache HTTP Server versions 2.2.7, 2.0.62, and 1.3.40 contain patches that properly sanitize filenames in negotiation responses. Users should upgrade to these or later versions. Workarounds include disabling mod_negotiation if not required, or restricting file upload capabilities for authenticated users. No mention of this CVE in the provided Red Hat advisories [1][2][3][4] indicates that patches were shipped separately.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*range: >=2.2.0,<2.2.23
- (no CPE)range: 2.2.6 and earlier in 2.2.x, 2.0.61 and earlier in 2.0.x, 1.3.39 and earlier in 1.3.x
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
26- securityreason.com/securityalert/3575nvdExploitThird Party Advisory
- securitytracker.com/idnvdBroken LinkExploitThird Party AdvisoryVDB Entry
- www.mindedsecurity.com/MSA01150108.htmlnvdExploit
- www.securityfocus.com/bid/27409nvdExploitThird Party AdvisoryVDB Entry
- rhn.redhat.com/errata/RHSA-2012-1591.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2012-1592.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2012-1594.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2013-0130.htmlnvdThird Party Advisory
- security.gentoo.org/glsa/glsa-200803-19.xmlnvdThird Party Advisory
- www.securityfocus.com/archive/1/486847/100/0/threadednvdThird Party AdvisoryVDB Entry
- exchange.xforce.ibmcloud.com/vulnerabilities/39867nvdThird Party AdvisoryVDB Entry
- secunia.com/advisories/29348nvdNot Applicable
- secunia.com/advisories/51607nvdNot Applicable
- lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3Envd
News mentions
0No linked articles in our index yet.