Vulnerability CVE-2011-1077


Published: 2011-06-02   Modified: 2011-09-21

Description:
Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Apache Archiva Multiple XSS vulnerability
Deng Ching
04.06.2011

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Apache
Product: Archiva 
Version:
1.3.4
1.3.3
1.3.2
1.3.1
1.3
1.2.2
1.2.1
1.2-m1
1.2
1.1.4
1.1.3
1.1.2
1.1.1
1.1
1.0.3
1.0.2
1.0.1
1.0

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://xforce.iss.net/xforce/xfdb/67672
http://www.securityfocus.com/bid/48011
http://www.securityfocus.com/archive/1/archive/1/518167/100/0/threaded
http://securityreason.com/securityalert/8267
http://secunia.com/advisories/44693
http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0531.html
http://archiva.apache.org/security.html
http://archiva.apache.org/docs/1.3.5/release-notes.html

Related CVE
CVE-2017-7661
Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications. A CSRF (Cross Style Request Forgery) style vulnerability has been found in the Spring 2, Spring 3, Jetty 8 and Jetty 9 plugins in Apache CXF ...
CVE-2017-7662
Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application that allows clients to be created, deleted, etc. A CSRF (Cross Style Request Forgery) style vulnerability has been...
CVE-2017-5655
In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host.
CVE-2017-5654
In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.
CVE-2016-6799
Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default...
CVE-2016-4467
The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certifica...
CVE-2017-3161
The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
CVE-2017-3162
HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Copyright 2017, cxsecurity.com