Description
This version of Apache is vulnerable to HTML injection (including
malicious Javascript code) through "Expect" header. Until now it was not classified as a security vulnerability, since an attacker has no way to influence the Expect header to send the victim to a target website. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+).
Affected Apache versions (up to 1.3.34/2.0.57/2.2.1).
Remediation
Upgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2)
References
Related Vulnerabilities
WordPress Plugin mklasen's Photobox Cross-Site Scripting (1.0)
WordPress Plugin Weather for us-animated weather widget Crypto Mining (1.8)
WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Cross-Site Scripting (1.5.67)
WordPress Plugin CiviCRM Multiple Vulnerabilities (5.28.0)
WordPress 4.0.x Possible SQL Injection Vulnerability (4.0 - 4.0.19)