Vulnerability CVE-2011-1077


Published: 2011-06-02   Modified: 2011-09-21

Description:
Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Apache Archiva Multiple XSS vulnerability
Deng Ching
04.06.2011

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Apache
Product: Archiva 
Version:
1.3.4
1.3.3
1.3.2
1.3.1
1.3
1.2.2
1.2.1
1.2-m1
1.2
1.1.4
1.1.3
1.1.2
1.1.1
1.1
1.0.3
1.0.2
1.0.1
1.0

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://xforce.iss.net/xforce/xfdb/67672
http://www.securityfocus.com/bid/48011
http://www.securityfocus.com/archive/1/archive/1/518167/100/0/threaded
http://securityreason.com/securityalert/8267
http://secunia.com/advisories/44693
http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0531.html
http://archiva.apache.org/security.html
http://archiva.apache.org/docs/1.3.5/release-notes.html

Related CVE
CVE-2014-0115
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
CVE-2014-3624
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
CVE-2016-5002
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
CVE-2016-5003
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
CVE-2015-1835
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.
CVE-2014-3600
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
CVE-2014-3579
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
CVE-2012-1622
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.

Copyright 2017, cxsecurity.com

 

Back to Top