VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2008· Updated Apr 23, 2026

CVE-2008-2168

CVE-2008-2168

Description

Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache 2.2.6 and earlier fails to sanitize UTF-7 encoded URLs in 403 Forbidden error pages, allowing XSS attacks.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Apache HTTP Server 2.2.6 and earlier. When a requested resource is denied and a 403 Forbidden error page is generated, the server fails to properly handle UTF-7 encoded URLs. An attacker can inject arbitrary web script or HTML via a crafted UTF-7 encoded URL, which will be reflected in the error page without proper sanitization.

Exploitation

The attacker does not require authentication or any special network position; the vulnerability is remotely exploitable. The attacker crafts a URL that uses UTF-7 encoding to bypass typical filtering mechanisms. When a victim's browser requests this URL and the server responds with a 403 Forbidden page, the injected UTF-7 encoded script is reflected in the response. The victim's browser decodes the UTF-7 content and executes the malicious script in the context of the vulnerable Apache server's domain.

Impact

Successful exploitation results in cross-site scripting (XSS), allowing the attacker to execute arbitrary HTML or JavaScript in the victim's browser within the security context of the Apache web server. This can lead to information disclosure (e.g., stealing cookies, session tokens), modification of page content, or other malicious actions that the victim's browser permits on that domain.

Mitigation

Apache HTTP Server 2.2.8 and later versions contain the fix for this vulnerability. Users should upgrade to Apache 2.2.8 or later. If upgrading is not immediately possible, a workaround is to ensure that error pages do not reflect user-supplied input without proper encoding. HP-UX systems were patched as part of security updates in 2009 (HP Security Bulletins HPSBUX02431 and HPSBUX02465). Ubuntu also included CVE-2008-2168 in its security update USN-731-1. [1] [2] [3]

References
  1. '[security bulletin] HPSBUX02431 SSRT090085 rev.1 - HP-UX Running Apache Web Server Suite, Remote Den'
  2. '[security bulletin] HPSBUX02465 SSRT090192 rev.1 - HP-UX Running Apache-based Web Server, Remote Den'
  3. USN-731-1: Apache vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

67
  • Apache/HTTP Server49 versions
    cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*+ 48 more
    • cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.32:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.34:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.59:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.60:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.61:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
  • osv-coords18 versions
    pkg:apk/chainguard/apache2pkg:apk/chainguard/apache2-compatpkg:apk/chainguard/apache2-configpkg:apk/chainguard/apache2-config-compatpkg:apk/chainguard/apache2-datapkg:apk/chainguard/apache2-devpkg:apk/chainguard/apache2-docpkg:apk/chainguard/apache2-oci-entrypointpkg:apk/chainguard/apache2-utilspkg:apk/wolfi/apache2pkg:apk/wolfi/apache2-compatpkg:apk/wolfi/apache2-configpkg:apk/wolfi/apache2-config-compatpkg:apk/wolfi/apache2-datapkg:apk/wolfi/apache2-devpkg:apk/wolfi/apache2-docpkg:apk/wolfi/apache2-oci-entrypointpkg:apk/wolfi/apache2-utils
    < 0+ 17 more
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0
    • (no CPE)range: < 0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

15

News mentions

0

No linked articles in our index yet.