Apache Flex asdoc Cross Site Scripting

2015-04-08 / 2015-04-12
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

------------------------------------------------------------------------ Reflected Cross-Site Scripting vulnerability in asdoc generated documentation ------------------------------------------------------------------------ Radjnies Bhansingh, March 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A reflected Cross-Site scripting vulnerability was found in Apache Flex's asdoc generated API documentation. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. ------------------------------------------------------------------------ Affected products ------------------------------------------------------------------------ Apache Flex reports that all versions of Apache Flex before 4.14.1 are affected by this vulnerability. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ The Apache Flex team fixed the issue in asdoc in Apache Flex 4.14.1. Users can also manually apply the following patch to fix this issue manually. https://git-wip-us.apache.org/repos/asf/flex-sdk/repo?p=flex-sdk.git;a=commitdiff;h=151c6fa1e46529acb74c1baf056d431da1db0422 Users should upgrade their version of Apache Flex and regenerate their current documentation generated with asdoc. Please note that any local modification to the asdoc index.html will need to be saved as they are not reapplied by asdoc on the newly generated documentation. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150301/reflected_cross_site_scripting_vulnerability_in_asdoc_generated_documentation.html

References:

https://www.securify.nl/advisory/SFY20150301/reflected_cross_site_scripting_vulnerability_in_asdoc_generated_documentation.html
https://git-wip-us.apache.org/repos/asf/flex-sdk/repo?p=flex-sdk.git;a=commitdiff;h=151c6fa1e46529acb74c1baf056d431da1db0422


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top