CVE-2012-3499

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.2.x before 2.2.24-dev Apache HTTP Server versions 2.4.x before 2.4.4

Description The issue involves multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in several modules, including mod imagemap, mod info, mod ldap, mod proxy ftp, and mod status. This is due to unescaped hostnames and URIs in HTML output. The issue was reported by Niels Heinen of Google.

Recommendations For Apache HTTP Server versions 2.2.x before 2.2.24-dev, update to version 2.2.24-dev or later. For Apache HTTP Server versions 2.4.x before 2.4.4, update to version 2.4.4 or later. As a temporary workaround, consider disabling the vulnerable modules (mod imagemap, mod info, mod ldap, mod proxy ftp, and mod status) until a patch is available.