id: CVE-2019-10092 info: name: Apache HTTP Server <=2.4.39 - HTML Injection/Partial Cross-Site Scripting author: pdteam severity: medium description: Apache HTTP Server versions 2.4.0 through 2.4.39 are vulnerable to a limited cross-site scripting issue affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious HTML code or execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to Apache HTTP Server version 2.4.40 or later, which includes a fix for this vulnerability. reference: - https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-10092-Limited%20Cross-Site%20Scripting%20in%20mod_proxy%20Error%20Page-Apache%20httpd - https://httpd.apache.org/security/vulnerabilities_24.html - https://lists.debian.org/debian-lts-announce/2019/09/msg00034.html - https://nvd.nist.gov/vuln/detail/CVE-2019-10092 - http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-10092 cwe-id: CWE-79 epss-score: 0.07116 epss-percentile: 0.9334 cpe: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: apache product: http_server tags: cve,cve2019,apache,htmli,injection http: - method: GET path: - '{{BaseURL}}/%5cgoogle.com/evil.html' matchers: - type: word words: - "" # digest: 4b0a00483046022100cf7b74757369fdca2726f4be8043d410911a61a6ff57c674a2fdea6db7e5ff72022100b31692e88e01fa8ac9c6e6ade337723ae79cab3ee421101a31b483f51497a1b2:922c64590222798bb761d5b6d8e72950