CVE - CVE-2019-10092

CVE-ID
CVE-2019-10092	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20190826 [SECURITY] [DSA 4509-1] apache2 security update URL:https://seclists.org/bugtraq/2019/Aug/47 BUGTRAQ:20191016 [SECURITY] [DSA 4509-3] apache2 security update URL:https://seclists.org/bugtraq/2019/Oct/24 CONFIRM:https://security.netapp.com/advisory/ntap-20190905-0003/ CONFIRM:https://support.f5.com/csp/article/K30442259 DEBIAN:DSA-4509 URL:https://www.debian.org/security/2019/dsa-4509 FEDORA:FEDORA-2019-099575a123 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7RVHJHTU4JN3ULCQ44F2G6LZBF2LGNTC/ GENTOO:GLSA-201909-04 URL:https://security.gentoo.org/glsa/201909-04 MISC:https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-10092-Limited%20Cross-Site%20Scripting%20in%20mod_proxy%20Error%20Page-Apache%20httpd URL:https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-10092-Limited%20Cross-Site%20Scripting%20in%20mod_proxy%20Error%20Page-Apache%20httpd MISC:https://httpd.apache.org/security/vulnerabilities_24.html URL:https://httpd.apache.org/security/vulnerabilities_24.html MISC:https://www.oracle.com/security-alerts/cpuapr2020.html URL:https://www.oracle.com/security-alerts/cpuapr2020.html MISC:https://www.oracle.com/security-alerts/cpujan2020.html URL:https://www.oracle.com/security-alerts/cpujan2020.html MISC:https://www.oracle.com/security-alerts/cpujul2020.html URL:https://www.oracle.com/security-alerts/cpujul2020.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html URL:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST:[debian-lts-announce] 20190828 [SECURITY] [DLA 1900-1] apache2 security update URL:https://lists.debian.org/debian-lts-announce/2019/08/msg00034.html MLIST:[debian-lts-announce] 20190930 [SECURITY] [DLA 1900-2] apache2 regression update URL:https://lists.debian.org/debian-lts-announce/2019/09/msg00034.html MLIST:[httpd-announce] 20190814 CVE-2019-10092: Limited cross-site scripting in mod_proxy URL:https://lists.apache.org/thread.html/73768e31e0fcae03e12f5aa87da1cb26dece39327f3c32060baa3e94@%3Cannounce.httpd.apache.org%3E MLIST:[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ URL:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ URL:https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/ URL:https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ URL:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ URL:https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/ URL:https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-users] 20200202 Re: [users@httpd] Small difference on error messages URL:https://lists.apache.org/thread.html/r0a83b112cd9701ef8a2061c8ed557f3dc9bb774d4da69fbb91bbc3c4@%3Cusers.httpd.apache.org%3E MLIST:[oss-security] 20190814 CVE-2019-10092: Limited cross-site scripting in mod_proxy URL:http://www.openwall.com/lists/oss-security/2019/08/15/4 MLIST:[oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow URL:http://www.openwall.com/lists/oss-security/2020/08/08/1 MLIST:[oss-security] 20200808 Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow URL:http://www.openwall.com/lists/oss-security/2020/08/08/9 REDHAT:RHSA-2019:4126 URL:https://access.redhat.com/errata/RHSA-2019:4126 SUSE:openSUSE-SU-2019:2051 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html UBUNTU:USN-4113-1 URL:https://usn.ubuntu.com/4113-1/
Assigning CNA
Apache Software Foundation
Date Record Created
20190326	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190326)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)