Cross-site scripting (XSS) vulnerability in the mod_negotiation module
in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series,
2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the
1.3.x series allows remote authenticated users to inject arbitrary web
script or HTML by uploading a file with a name containing XSS
sequences and a file extension, which leads to injection within a (1)
"406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when
the extension is omitted in a request for the file.
Note:References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20080122 Apache mod_negotiation Xss and Http Response Splitting
Disclaimer: The entry creation date may reflect when
the CVE-ID was allocated or reserved, and does not
necessarily indicate when this vulnerability was
discovered, shared with the affected vendor, publicly
disclosed, or updated in CVE.
This is an entry on the CVE
list, which standardizes names for security