From users-return-8282-apmail-continuum-users-archive=continuum.apache.org@continuum.apache.org Thu Feb 10 14:20:18 2011 Return-Path: Delivered-To: apmail-continuum-users-archive@www.apache.org Received: (qmail 88981 invoked from network); 10 Feb 2011 14:20:17 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Feb 2011 14:20:17 -0000 Received: (qmail 86940 invoked by uid 500); 10 Feb 2011 14:20:17 -0000 Delivered-To: apmail-continuum-users-archive@continuum.apache.org Received: (qmail 86580 invoked by uid 500); 10 Feb 2011 14:20:14 -0000 Mailing-List: contact users-help@continuum.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@continuum.apache.org Delivered-To: mailing list users@continuum.apache.org Received: (qmail 86549 invoked by uid 99); 10 Feb 2011 14:20:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Feb 2011 14:20:13 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [74.125.83.171] (HELO mail-pv0-f171.google.com) (74.125.83.171) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Feb 2011 14:20:07 +0000 Received: by pvg2 with SMTP id 2so314411pvg.2 for ; Thu, 10 Feb 2011 06:19:47 -0800 (PST) Received: by 10.142.48.9 with SMTP id v9mr20013901wfv.170.1297347586899; Thu, 10 Feb 2011 06:19:46 -0800 (PST) Received: from [10.0.0.10] (CPE-203-51-91-252.lns11.cht.bigpond.net.au [203.51.91.252]) by mx.google.com with ESMTPS id e14sm72583wfg.20.2011.02.10.06.19.43 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Feb 2011 06:19:45 -0800 (PST) Sender: Brett Porter From: Brett Porter Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability Date: Fri, 11 Feb 2011 01:19:40 +1100 Message-Id: <981C0A79-5B7B-4053-84CC-3217870BE360@apache.org> Cc: announce@apache.org, Apache Security Response Team , dev@continuum.apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com To: users@continuum.apache.org Mime-Version: 1.0 (Apple Message framework v1082) X-Mailer: Apple Mail (2.1082) CVE-2011-0533: Apache Continuum cross-site scripting vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Continuum 1.3.6 Continuum 1.4.0 (Beta) The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. Description: A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into Continuum project pages. Mitigation: Continuum 1.3.6 and earlier users should upgrade to 1.3.7 Continuum 1.4.0 (Beta) users should apply the following patch: http://svn.apache.org/viewvc?view=revision&revision=1066056 Credit: This issue was discovered by Tal Be'ery of Imperva. References: http://continuum.apache.org/security.html -- Brett Porter brett@apache.org http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter