| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Jun 2012 13:03:27 -0400 From: Dave <snoopdave@...il.com> To: user <user@...ler.apache.org>, dev@...ler.apache.org, security@...che.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: Roller 4.0.0 to Roller 4.0.1 Roller 5.0 The unsupported Roller 3.1 release is also affected Description: Roller trusts bloggers to post HTML and JavaScript code in the weblog and for some sites this can be a problem because users are untrusted and could post malicious code and exploit XSS. This issue has be addressed by added a new configiration property weblogAdminsUntrusted flag that, when set to 'true' will cause all weblog content to be HTML sanitized. Mitigation Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1 Roller 5.0 users should upgrade to Roller 5.0.1 Roller 3.1 users should upgrade to Roller 5.0.1 Credit: This issue was discovered by Jun Zhu, PhD student, University of North Carolina, Charlotte _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists