A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into Continuum project pages. Versions 1.3.6 and 1.4.0 Beta are affected along with unsupported, older revs.
0782a37ae7b67ae32bd44e36f19edd4ac64c7f6b85bc91cd4b7a0687e3f4cf9aCVE-2011-0533: Apache Continuum cross-site scripting vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.
Description:
A request that included a specially crafted request parameter could be
used to inject arbitrary HTML or Javascript into Continuum project
pages.
Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7
Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066056
Credit:
This issue was discovered by Tal Be'ery of Imperva.
References:
http://continuum.apache.org/security.html
--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed