| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jan 2011 22:22:45 +0100 From: Jan Lehnardt <jan@...che.org> To: dev@...chdb.apache.org Cc: user@...chdb.apache.org, security@...chdb.apache.org, full-disclosure@...ts.grok.org.uk, security@...che.org, bugtraq@...urityfocus.com Subject: CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache CouchDB 0.8.0 to 1.0.1 Description: Apache CouchDB versions prior to version 1.0.2 are vulnerable to cross site scripting (XSS) attacks. Mitigation: All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes Example: Due to inadequate validation of request parameters and cookie data in Futon, CouchDB's web-based administration UI, a malicious site can execute arbitrary code in the context of a user's browsing session. Credit: This XSS issue was discovered by a source that wishes to stay anonymous. References: http://couchdb.apache.org/downloads.html http://wiki.apache.org/couchdb/Breaking_changes http://en.wikipedia.org/wiki/Cross-site_scripting Jan Lehnardt -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists