CVE-2000-1205 : Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other we

Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant.

Published 2000-02-01 05:00:00

Updated 2021-06-06 11:15:10

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Threat overview for CVE-2000-1205

Top countries where our scanners detected CVE-2000-1205

Top open port discovered on systems with this issue 80

IPs affected by CVE-2000-1205 374

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2000-1205!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2000-1205

Probability of exploitation activity in the next 30 days: 0.26%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 63 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2000-1205

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2000-1205

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2000-1205

Apache 2008-07-02

Fixed in Apache HTTP Server 1.3.12: http://httpd.apache.org/security/vulnerabilities_13.html

References for CVE-2000-1205

https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E

svn commit: r1075470 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/10938
http://archives.neohapsis.com/archives/bugtraq/2002-12/0233.html
http://archive.cert.uni-stuttgart.de/bugtraq/2002/12/msg00243.html
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
http://marc.info/?l=bugtraq&m=118529436424127&w=2
https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [1/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s

CVEs referencing this url
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E

svn commit: r1075360 [1/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
http://httpd.apache.org/info/css-security/apache_specific.html

Patch;Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/35597

Products affected by CVE-2000-1205

Apache » Http Server » Version: 1.3.9
cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.11
cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.0
cpe:2.3:a:apache:http_server:1.3.0:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.5
cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.6
cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.1
cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.10
cpe:2.3:a:apache:http_server:1.3.10:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.7
cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.8
cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.2
cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.3
cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 1.3.4
cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
Matching versions