CVE-2011-0533: Apache Continuum cross-site scripting vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Continuum 1.3.6 Continuum 1.4.0 (Beta) The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. Description: A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into Continuum project pages. Mitigation: Continuum 1.3.6 and earlier users should upgrade to 1.3.7 Continuum 1.4.0 (Beta) users should apply the following patch: http://svn.apache.org/viewvc?view=revision&revision=1066056 Credit: This issue was discovered by Tal Be'ery of Imperva. References: http://continuum.apache.org/security.html -- Brett Porter brett (at) apache (dot) org [email concealed] http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter