axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Veithen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5683) BUG - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - ListingAgent.java
Date Wed, 01 Jun 2016 16:40:59 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15310602#comment-15310602
] 

Andreas Veithen commented on AXIS2-5683:
----------------------------------------

CVE-2010-2103 is unrelated to AXIS2-5683. Please do not post questions on unrelated bugs.

> BUG - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) -
ListingAgent.java
> -------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5683
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5683
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.5.6, 1.6.2, 1.7.1
>            Reporter: David Camilo Espitia Manrique
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> We are currently using "axis2-transport-http-1.5.6" and the veracode analysis  found
a bug in this class:
> 1. ListingAgent.java (Version 1.5.6 in the line 256 and 292) and (Version 1.6.2 in the
line 252 and 288)
> Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
> Description:
> This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP
response with user-supplied
> input, allowing an attacker to embed malicious content, such as Javascript code, which
will be executed in the context
> of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate
cookies, modify presentation
> of content, and compromise confidential information, with new attack vectors being discovered
on a regular basis.
> is this a false positive?
> thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message