Apache Continuum cross-site scripting vulnerability

2011.02.21
Credit: Tal Be'ery
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

CVE-2011-0533: Apache Continuum cross-site scripting vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Continuum 1.3.6 Continuum 1.4.0 (Beta) The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. Description: A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into Continuum project pages. Mitigation: Continuum 1.3.6 and earlier users should upgrade to 1.3.7 Continuum 1.4.0 (Beta) users should apply the following patch: http://svn.apache.org/viewvc?view=revision&revision=1066056 Credit: This issue was discovered by Tal Be'ery of Imperva. References: http://continuum.apache.org/security.html -- Brett Porter brett (at) apache (dot) org [email concealed] http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter

Referencje:

http://svn.apache.org/viewvc?view=revision&revision=1066056
http://svn.apache.org/viewvc?view=revision&revision=1066053
http://seclists.org/fulldisclosure/2011/Feb/236
http://xforce.iss.net/xforce/xfdb/65343
http://www.vupen.com/english/advisories/2011/0373
http://www.securityfocus.com/bid/46311
http://www.securityfocus.com/archive/1/archive/1/516342/100/0/threaded
http://securitytracker.com/id?1025065
http://secunia.com/advisories/43261
http://mail-archives.apache.org/mod_mbox/continuum-users/201102.mbox/%3C981C0A79-5B7B-4053-84CC-3217870BE360@apache.org%3E
http://jira.codehaus.org/browse/CONTINUUM-2604
http://continuum.apache.org/security.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top