DescriptionModSecurity before 2.5.11 treats request parameter values containing single quotes as files, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks via a single quote in a request parameter in the Content-Disposition field of a request with a multipart/form-data Content-Type header.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity-apache (PTS)buster2.9.3-1+deb10u1fixed
buster (security)2.9.3-1+deb10u2fixed
bullseye (security), bullseye2.9.3-3+deb11u1fixed
bookworm, sid2.9.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecurity-apachesource(unstable)(not affected)


- modsecurity-apache <not-affected> (Fixed before initial upload)

Search for package or bug name: Reporting problems