Upstream information
Description
ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
National Vulnerability Database | |
---|---|
Base Score | 4.3 |
Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | None |
Integrity Impact | Partial |
Availability Impact | None |
SUSE Security Advisories:
- openSUSE-SU-2013:1331-1, published Wed, 14 Aug 2013 03:04:27 +0200 (CEST)
- openSUSE-SU-2013:1336-1, published Wed, 14 Aug 2013 03:07:06 +0200 (CEST)
- openSUSE-SU-2013:1342-1, published Wed, 14 Aug 2013 09:04:47 +0200 (CEST)
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Module for Server Applications 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0 |
| Patchnames: SUSE Linux Enterprise Module for Server Applications 15 SP1 GA apache2-mod_security2-2.9.2-1.34 |
SUSE Enterprise Storage 7 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise Module for Server Applications 15 SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 |
| Patchnames: SUSE Linux Enterprise Module for Server Applications 15 SP2 GA apache2-mod_security2-2.9.2-1.34 |
SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15 |
| Patchnames: SUSE Linux Enterprise Module for Server Applications 15 GA apache2-mod_security2-2.9.2-1.34 |
SUSE Linux Enterprise Server 11 SP3 |
| Patchnames: SUSE Linux Enterprise Server 11 SP3 GA apache2-mod_security2-2.7.1-0.2.12.1 |
SUSE Linux Enterprise Server 11 SP4 |
| Patchnames: SUSE Linux Enterprise Server 11 SP4 GA apache2-mod_security2-2.7.1-0.2.18.1 |
openSUSE Tumbleweed |
| Patchnames: openSUSE Tumbleweed GA apache2-mod_security2-2.9.0-5.6 |
SUSE Timeline for this CVE
CVE page created: Fri Jun 28 08:39:59 2013CVE page last modified: Mon Feb 13 11:38:00 2023