CVE-2019-10092

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.0 through 2.4.39

Description A limited cross-site scripting issue was reported affecting the mod proxy error page in Apache HTTP Server. This issue could allow an attacker to cause the link on the error page to be malformed, pointing to a page of their choice, but only where a server was set up with proxying enabled and misconfigured to display the Proxy Error page. The vulnerability is related to the failure to protect the structure of web pages, which could allow a remote attacker to redirect users to a malicious site using a specially crafted web page.

Recommendations For Apache HTTP Server versions 2.4.0 through 2.4.39, consider disabling the mod proxy module until a patch is available to prevent exploitation of the limited cross-site scripting issue in the mod proxy error page. Restrict access to the mod proxy error page to minimize the risk of exploitation. As a temporary workaround, ensure proper configuration of proxying to avoid displaying the Proxy Error page.