| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55243342.3080106@securify.nl> Date: Tue, 07 Apr 2015 21:42:58 +0200 From: "Securify B.V." <lists@...urify.nl> To: fulldisclosure@...lists.org Subject: [FD] Reflected Cross-Site Scripting vulnerability in asdoc generated documentation ------------------------------------------------------------------------ Reflected Cross-Site Scripting vulnerability in asdoc generated documentation ------------------------------------------------------------------------ Radjnies Bhansingh, March 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A reflected Cross-Site scripting vulnerability was found in Apache Flex's asdoc generated API documentation. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. ------------------------------------------------------------------------ Affected products ------------------------------------------------------------------------ Apache Flex reports that all versions of Apache Flex before 4.14.1 are affected by this vulnerability. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ The Apache Flex team fixed the issue in asdoc in Apache Flex 4.14.1. Users can also manually apply the following patch to fix this issue manually. https://git-wip-us.apache.org/repos/asf/flex-sdk/repo?p=flex-sdk.git;a=commitdiff;h=151c6fa1e46529acb74c1baf056d431da1db0422 Users should upgrade their version of Apache Flex and regenerate their current documentation generated with asdoc. Please note that any local modification to the asdoc index.html will need to be saved as they are not reapplied by asdoc on the newly generated documentation. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150301/reflected_cross_site_scripting_vulnerability_in_asdoc_generated_documentation.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists