chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <>
Subject [jira] [Commented] (CMIS-938) Cross-Site Scripting: Reflected Vulnerability in index.jsp
Date Mon, 24 Aug 2015 11:37:46 GMT


Florian Müller commented on CMIS-938:

The whole InMemory repository is for testing and demo purposes only.


> Cross-Site Scripting: Reflected Vulnerability in index.jsp
> ----------------------------------------------------------
>                 Key: CMIS-938
>                 URL:
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
> The method _jspService() in index.jsp sends unvalidated data to a web browser on line
131, which can result in the browser executing malicious code.
> Explanation:
> Cross-site scripting (XSS) vulnerabilities occur when:
> 1. Data enters a web application through an untrusted source. In the case of Reflected
XSS, the untrusted source is typically a web request, while in the case of Persisted (also
known as Stored) XSS it is typically a database or other back-end datastore.
> In this case the data enters at getHeader() in at
line 41.
> 2. The data is included in dynamic content that is sent to a web user without being validated.
> In this case the data is sent at println() in index.jsp at line 131.

This message was sent by Atlassian JIRA

View raw message