Description
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP-RESTful Multiple Cross-Site Scripting Vulnerabilities (0.1)
PostgreSQL Uncontrolled Recursion Vulnerability (CVE-2026-6479)
WordPress Plugin Fusion:Extension-Map Multiple Unspecified Vulnerabilities (1.0.3)
Apache HTTP Server NULL Pointer Dereference Vulnerability (CVE-2017-3169)