chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <>
Subject [jira] [Created] (CMIS-938) Cross-Site Scripting: Reflected Vulnerability in index.jsp
Date Mon, 24 Aug 2015 08:13:45 GMT
Donald Kwakkel created CMIS-938:

             Summary: Cross-Site Scripting: Reflected Vulnerability in index.jsp
                 Key: CMIS-938
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-client
    Affects Versions: OpenCMIS 0.13.0
            Reporter: Donald Kwakkel

The method _jspService() in index.jsp sends unvalidated data to a web browser on line 131,
which can result in the browser executing malicious code.


Cross-site scripting (XSS) vulnerabilities occur when:

1. Data enters a web application through an untrusted source. In the case of Reflected XSS,
the untrusted source is typically a web request, while in the case of Persisted (also known
as Stored) XSS it is typically a database or other back-end datastore.

In this case the data enters at getHeader() in at line

2. The data is included in dynamic content that is sent to a web user without being validated.

In this case the data is sent at println() in index.jsp at line 131.

This message was sent by Atlassian JIRA

View raw message