Description
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
Remediation
References
Related Vulnerabilities
WordPress Plugin Wunderbar Basic Cross-Site Scripting (1.1.3)
WordPress Plugin YARPP-Yet Another Related Posts PHP Object Injection (4.4)
MediaWiki Session Fixation Vulnerability (CVE-2013-4572)
MySQL CVE-2013-5882 Vulnerability (CVE-2013-5882)
Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-20100)