[<prev] [next>] [day] [month] [year] [list]
Message-Id: <C840F655-C8C5-4EC6-8AA8-DD223E39C34A@apache.org>
Date: Fri, 28 Jan 2011 22:22:45 +0100
From: Jan Lehnardt <jan@...che.org>
To: dev@...chdb.apache.org
Cc: user@...chdb.apache.org, security@...chdb.apache.org,
security@...che.org, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Subject: CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache CouchDB 0.8.0 to 1.0.1
Description:
Apache CouchDB versions prior to version 1.0.2 are vulnerable to
cross site scripting (XSS) attacks.
Mitigation:
All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x
and 0.10.x series should be seamless. Users on earlier versions
should consult http://wiki.apache.org/couchdb/Breaking_changes
Example:
Due to inadequate validation of request parameters and cookie data in
Futon, CouchDB's web-based administration UI, a malicious site can
execute arbitrary code in the context of a user's browsing session.
Credit:
This XSS issue was discovered by a source that wishes to stay
anonymous.
References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_scripting
Jan Lehnardt
--
Powered by blists - more mailing lists