roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject CVE-2013-4171 Apache Roller RSS/Atom Feed templates contain XSS vulnerabilities
Date Wed, 30 Oct 2013 21:24:03 GMT
Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0 and Roller 5.0.1
The unsupported Roller 3.1 release is also affected

Description:
Roller's RSS and Atom feed representations of Search Results were
vulnerable to Cross Site Scripting (XSS) attacks because user-provided text
was not escaped in some cases.

Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.2
Roller 5.0 and 5.0.1 users should upgrade to Roller 5.0.2
Roller 3.1 users should upgrade to Roller 5.0.2

Credit:
Alex Kouzemtchenko, Security Researcher, Coverity

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message