CVE-2023-6710

Summary

A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.

Affected Software

VendorProductVersion RangeStatus
Red HatJBoss Core Services for RHEL 80:1.3.20-3.el8jbcs < *unaffected
Red HatJBoss Core Services on RHEL 70:1.3.20-3.el7jbcs < *unaffected
Red HatRed Hat Enterprise Linux 90:1.3.20-1.el9_4 < *unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CVE Program Container

Additional References

References