[<prev] [next>] [day] [month] [year] [list]
Message-Id: <981C0A79-5B7B-4053-84CC-3217870BE360@apache.org>
Date: Fri, 11 Feb 2011 01:19:40 +1100
From: Brett Porter <brett@...che.org>
To: users@...tinuum.apache.org
Cc: dev@...tinuum.apache.org, full-disclosure@...ts.grok.org.uk,
Apache Security Response Team <security@...che.org>,
bugtraq@...urityfocus.com, announce@...che.org
Subject: [SECURITY] CVE-2011-0533: Apache Continuum
cross-site scripting vulnerability
CVE-2011-0533: Apache Continuum cross-site scripting vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.
Description:
A request that included a specially crafted request parameter could be
used to inject arbitrary HTML or Javascript into Continuum project
pages.
Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7
Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066056
Credit:
This issue was discovered by Tal Be'ery of Imperva.
References:
http://continuum.apache.org/security.html
--
Brett Porter
brett@...che.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists