Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Apache HTTP Server: Malicious Scripts Injected in Authentication
CVE-2024-10242
Summary
Apache HTTP Server's authentication endpoint doesn't properly check user input, allowing hackers to inject malicious code that can redirect users to fake sites, alter web page content, or steal information. To protect your users, update Apache HTTP Server to the latest version and ensure that sensitive cookies are properly configured with the httpOnly flag.
Original title
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input pa...
Original description
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.
Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026