CVE-2008-2168

NameCVE-2008-2168
DescriptionCross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)buster2.4.38-3+deb10u8fixed
buster (security)2.4.38-3+deb10u10fixed
bullseye2.4.56-1~deb11u2fixed
bullseye (security)2.4.56-1~deb11u1fixed
bookworm, sid2.4.57-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourceetch2.2.3-4+etch4low
apache2source(unstable)2.2.8-1low

Notes

This is really a browser issue. Recent apache versions add a workaround.
Search for package or bug name: Reporting problems