Apache Roller 4.x / 5.x Cross Site Scripting

2012-06-26 / 2012-08-15
Credit: Jun Zhu
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

Severity: important Vendor: The Apache Software Foundation Versions Affected: Roller 4.0.0 to Roller 4.0.1 Roller 5.0 The unsupported Roller 3.1 release is also affected Description: Roller trusts bloggers to post HTML and JavaScript code in the weblog and for some sites this can be a problem because users are untrusted and could post malicious code and exploit XSS. This issue has be addressed by added a new configiration property weblogAdminsUntrusted flag that, when set to 'true' will cause all weblog content to be HTML sanitized. Mitigation Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1 Roller 5.0 users should upgrade to Roller 5.0.1 Roller 3.1 users should upgrade to Roller 5.0.1 Credit: This issue was discovered by Jun Zhu, PhD student, University of North Carolina, Charlotte

Referencje:

http://packetstormsecurity.org/files/114167/CVE-2012-2381.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top