Unrated severityNVD Advisory· Published Feb 26, 2013· Updated Apr 29, 2026

CVE-2012-4558

Description

Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in Apache HTTP Server's mod_proxy_balancer manager interface allows remote attackers to inject arbitrary web script via crafted strings.

Vulnerability

The vulnerability is a cross-site scripting (XSS) in the balancer_handler function in mod_proxy_balancer.c of the mod_proxy_balancer module in Apache HTTP Server. It affects versions 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 [1]. The flaw occurs in the manager interface, where a crafted string can be injected.

Exploitation

An attacker can exploit this by tricking a user who is logged into the manager web interface into visiting a specially-crafted URL [3][4]. No authentication is required to trigger the XSS, but user interaction is needed (the victim must be logged in and visit the malicious URL). The attacker can inject arbitrary web script or HTML via a crafted string in the request.

Impact

Successful exploitation leads to arbitrary web script execution in the context of the victim's manager interface session [3][4]. This could allow the attacker to perform actions on behalf of the victim, such as modifying proxy balancer configurations or stealing session cookies, leading to information disclosure or further compromise.

Mitigation

The fix is included in Apache HTTP Server 2.2.24-dev and 2.4.4 [1]. Red Hat has released updated packages for RHEL 5 and 6 (RHSA-2013-0815) and for JBoss EAP 6.1.1 (RHSA-2013-1207 and RHSA-2013-1208) [2][3][4]. Users should upgrade to the fixed versions or apply the relevant patches.

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apache/HTTP Server28 versions
cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
- (no CPE)range: <=2.2.23, <=2.4.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.047
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000