[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF1aazB5NUMtyFcLAWPJZrvZwnvqSVHcUvrV7ZZfGg0Zco+ykA@mail.gmail.com>
Date: Sun, 24 Jun 2012 13:03:27 -0400
From: Dave <snoopdave@...il.com>
To: user <user@...ler.apache.org>, dev@...ler.apache.org, security@...che.org,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0
The unsupported Roller 3.1 release is also affected
Description:
Roller trusts bloggers to post HTML and JavaScript code in the weblog
and for some sites this can be a problem because users are untrusted
and could post malicious code and exploit XSS. This issue has be
addressed by added a new configiration property weblogAdminsUntrusted
flag that, when set to 'true' will cause all weblog content to be HTML
sanitized.
Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1
Roller 5.0 users should upgrade to Roller 5.0.1
Roller 3.1 users should upgrade to Roller 5.0.1
Credit:
This issue was discovered by Jun Zhu, PhD student, University of North
Carolina, Charlotte
Powered by blists - more mailing lists