Fluid Attacks Database

Description

ModSecurity before 2.6.6, when used with PHP, does not properly handle single quotes not at the beginning of a request parameter value in the Content-Disposition field of a request with a multipart/form-data Content-Type header, which allows remote attackers to bypass filtering rules and perform other attacks such as cross-site scripting (XSS) attacks. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-5031.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	modsecurity-apache	>=0 <2.6.6-1	2.6.6-1
debian 13	modsecurity-apache	>=0 <2.6.6-1	2.6.6-1
debian 12	modsecurity-apache	>=0 <2.6.6-1	2.6.6-1
debian 11	modsecurity-apache	>=0 <2.6.6-1	2.6.6-1

Aliases

1. CVE-2012-27512. NVD-2012-27513. OSV-DEBIAN-2012-27514. OSV-2012-27515. SECURITY-TRACKER-CVE-2012-2751

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.