CVE-2012-2687

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.x before 2.4.3

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the mod negotiation module. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list, when the MultiViews option is enabled. This can be exploited on sites that use mod negotiation and allow untrusted uploads to locations with MultiViews enabled.

Recommendations For Apache HTTP Server versions 2.4.x before 2.4.3, update to version 2.4.3 or later to resolve the issue. As a temporary workaround, consider disabling the MultiViews option in the mod negotiation module to minimize the risk of exploitation. Restrict access to locations where untrusted uploads are allowed, especially when MultiViews is enabled.