Vulnerability Name:

CVE-2002-0840 (CCN-10241)

Assigned:2002-10-02
Published:2002-10-02
Updated:2021-06-06
Summary:Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: SGI
Type: UNKNOWN
20021105-02-I

Source: BUGTRAQ
Type: UNKNOWN
20021017 TSLSA-2002-0069-apache

Source: CCN
Type: Gentoo Security Linux Announcement 200211-003
Cross-Site Scripting Vulnerability

Source: CCN
Type: Hewlett-Packard Company Security Bulletin HPSBUX0210-224
SSRT2393 Apache Vulnerabilities (rev. 1)

Source: CCN
Type: Full-Disclosure Mailing List, Wed, 2 Oct 2002 09:00:59 -0400
Apache 2 Cross-Site Scripting

Source: VULNWATCH
Type: UNKNOWN
20021002 Apache 2 Cross-Site Scripting

Source: CCN
Type: Nessus plugin ID : 11137
Apache < 1.3.27

Source: MITRE
Type: CNA
CVE-2002-0840

Source: CONECTIVA
Type: UNKNOWN
CLA-2002:530

Source: CCN
Type: Conectiva Linux Announcement CLSA-2002:530
DoS and other vulnerabilities

Source: CCN
Type: Apache Web site
Welcome! - The Apache HTTP Server Project

Source: CONFIRM
Type: UNKNOWN
http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2

Source: BUGTRAQ
Type: UNKNOWN
20021002 Apache 2 Cross-Site Scripting

Source: BUGTRAQ
Type: UNKNOWN
20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)

Source: HP
Type: UNKNOWN
HPSBUX0210-224

Source: CCN
Type: Oracle Security Alert #45
Security Release of Apache 1.3.27

Source: CCN
Type: RHSA-2002-222
Updated apache

Source: CCN
Type: RHSA-2002-248
apache

Source: CCN
Type: RHSA-2002-251
apache security update

Source: CCN
Type: RHSA-2003-106
Updated apache and mod_ssl packages available

Source: CCN
Type: ApacheWeek, Issue 311, 4th October 2002
Security Reports

Source: CONFIRM
Type: Vendor Advisory
http://www.apacheweek.com/issues/02-10-04

Source: CCN
Type: CIAC Information Bulletin N-005
Apache 1.3.27 HTTP Server Release

Source: DEBIAN
Type: UNKNOWN
DSA-187

Source: DEBIAN
Type: UNKNOWN
DSA-188

Source: DEBIAN
Type: UNKNOWN
DSA-195

Source: DEBIAN
Type: DSA-187
apache -- several vulnerabilities

Source: DEBIAN
Type: DSA-188
apache-ssl -- several vulnerabilities

Source: DEBIAN
Type: DSA-195
apache-perl -- several vulnerabilities

Source: CCN
Type: US-CERT VU#240329
Apache HTTPD server vulnerable to cross site scripting on error page when using wildcard DNS

Source: CERT-VN
Type: US Government Resource
VU#240329

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2002:068

Source: ENGARDE
Type: UNKNOWN
ESA-20021007-024

Source: CCN
Type: SCO Security Advisory CSSA-2002-056.0
Linux: apache vulnerabilities in shared memory, DNS, and ApacheBench

Source: CCN
Type: SCO Security Advisory CSSA-2003-SCO.10.1
OpenServer 5.0.5 OpenServer 5.0.6 : Various security fixes for Apache.

Source: CCN
Type: OpenPKG-SA-2002.009
Apache

Source: CCN
Type: OpenPKG-SA-2002.010
Apache mod_ssl

Source: OSVDB
Type: UNKNOWN
862

Source: CCN
Type: OSVDB ID: 862
Apache HTTP Server SSI Error Page XSS

Source: REDHAT
Type: UNKNOWN
RHSA-2002:222

Source: REDHAT
Type: UNKNOWN
RHSA-2002:243

Source: REDHAT
Type: UNKNOWN
RHSA-2002:244

Source: REDHAT
Type: UNKNOWN
RHSA-2002:248

Source: REDHAT
Type: UNKNOWN
RHSA-2002:251

Source: REDHAT
Type: UNKNOWN
RHSA-2003:106

Source: BID
Type: UNKNOWN
5847

Source: CCN
Type: BID-5847
Apache Server Side Include Cross Site Scripting Vulnerability

Source: CCN
Type: Trustix Secure Linux Security Advisory #2002-0069
apache

Source: XF
Type: UNKNOWN
apache-http-host-xss(10241)

Source: XF
Type: UNKNOWN
apache-http-host-xss(10241)

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210603 svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:1.3.18:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.19:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.38:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle8i:8.1.7_.0.0_enterprise:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle8i:8.1.7_.1.0_enterprise:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle9i:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle9i:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:8.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle9i:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.39:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.20:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle8i:8.1.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle8i:8.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:1.0.2.1s:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.17:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.26:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.36:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.14:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.22:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.11:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.23:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.25:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.24:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle9i:9.0.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:oracle9i:9.0.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.28:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:http_server:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:8.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.19:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.26:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.20:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.23:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.17:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.14:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.11:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:1.0.2.1s:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.24:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.22:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:8.1.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.18:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:1.3.25:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:reports:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.28:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.36:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • AND
  • cpe:/a:redhat:stronghold:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1:*:itanium:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.debian:def:195
    V
    		several vulnerabilities
    2002-11-13
    oval:org.debian:def:188
    V
    		several vulnerabilities
    2002-11-05
    oval:org.debian:def:187
    V
    		several vulnerabilities
    2002-11-04
    BACK
    apache http server 1.3.18
    apache http server 1.3.19
    apache http server 1.3.4
    apache http server 1.3.6
    apache http server 2.0.37
    apache http server 2.0.38
    oracle application server 1.0.2.2
    oracle application server 9.0.2
    oracle oracle8i 8.1.7_.0.0_enterprise
    oracle oracle8i 8.1.7_.1.0_enterprise
    apache http server 1.3
    apache http server 1.3.1
    oracle application server 9.0.2.1
    oracle oracle9i 9.0.1
    oracle oracle9i 9.0.2
    oracle database server 8.1.7
    apache http server 2.0.35
    oracle oracle9i 9.0
    apache http server 2.0.39
    oracle application server 9.0.2 r2
    apache http server 1.3.20
    oracle oracle8i 8.1.7.1
    oracle oracle8i 8.1.7
    oracle application server 1.0.2.1s
    apache http server 1.3.12
    apache http server 1.3.3
    apache http server 1.3.17
    apache http server 1.3.26
    apache http server 1.3.9
    apache http server 2.0.40
    apache http server 2.0.36
    apache http server 1.3.14
    apache http server 1.3.22
    apache http server 1.3.11
    apache http server 2.0
    oracle application server 1.0.2
    apache http server 2.0.42
    apache http server 1.3.23
    apache http server 1.3.25
    oracle database server 9.2.1
    apache http server 1.3.24
    apache http server 2.0.41
    apache http server 2.0.32
    oracle oracle9i 9.0.1.3
    oracle oracle9i 9.0.1.2
    apache http server 2.0.28
    oracle database server 9.2.2
    apache http server 1.3
    oracle database server 8.1.7
    apache http server 1.3.1
    apache http server 1.3.19
    oracle database server 9.0
    apache http server 2.0
    oracle application server 9.0.2
    apache http server 1.3.26
    apache http server 1.3.6
    apache http server 1.3.9
    apache http server 1.3.12
    apache http server 1.3.20
    apache http server 1.3.23
    apache http server 1.3.17
    apache http server 1.3.14
    apache http server 2.0.38
    apache http server 2.0.39
    apache http server 2.0.42
    apache http server 1.3.11
    oracle application server 1.0.2.2
    oracle application server 1.0.2.1s
    apache http server 2.0.40
    apache http server 1.3.3
    apache http server 1.3.24
    apache http server 1.3.22
    apache http server 1.3.4
    oracle database server 8.1.7.1
    apache http server 1.3.18
    apache http server 1.3.25
    oracle application server 1.0.2
    oracle application server 9.0.2 r2
    oracle reports 9.0.2
    apache http server 2.0.28
    apache http server 2.0.32
    apache http server 2.0.35
    apache http server 2.0.36
    apache http server 2.0.37
    apache http server 2.0.41
    redhat stronghold *
    redhat enterprise linux 2.1
    redhat linux advanced workstation 2.1