Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Unitrends assessment: Medium Risk
You may already have received the new httpd, but if not, update httpd.
To update to the new version with the fix, either do 'yum update httpd' from the command line, or perform an update from the UI.
- httpd-2.2.3-74.el5 or later for CentOS5
- httpd-2.2.15-26.el6 or later for CentOS6
LINK TO ADVISORIES