------------------------------------------------------------------------ Reflected Cross-Site Scripting vulnerability in asdoc generated documentation ------------------------------------------------------------------------ Radjnies Bhansingh, March 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A reflected Cross-Site scripting vulnerability was found in Apache Flex's asdoc generated API documentation. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. ------------------------------------------------------------------------ Affected products ------------------------------------------------------------------------ Apache Flex reports that all versions of Apache Flex before 4.14.1 are affected by this vulnerability. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ The Apache Flex team fixed the issue in asdoc in Apache Flex 4.14.1. Users can also manually apply the following patch to fix this issue manually. https://git-wip-us.apache.org/repos/asf/flex-sdk/repo?p=flex-sdk.git;a=commitdiff;h=151c6fa1e46529acb74c1baf056d431da1db0422 Users should upgrade their version of Apache Flex and regenerate their current documentation generated with asdoc. Please note that any local modification to the asdoc index.html will need to be saved as they are not reapplied by asdoc on the newly generated documentation. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150301/reflected_cross_site_scripting_vulnerability_in_asdoc_generated_documentation.html