www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Witt <joew...@apache.org>
Subject [SECURITY] CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue
Date Mon, 16 Jan 2017 19:25:13 GMT
CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache NiFi 1.0.0
Apache NiFi 1.1.0

Description: There is a cross-site scripting vulnerability in
connection details dialog when accessed by an authorized user. The
user supplied text was not be properly handled when added to the DOM.

Mitigation:
1.0.0 users should upgrade to 1.0.1 or 1.1.1.
1.1.0 users should upgrade to 1.1.1.  Additional migration guidance
can be found https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance.

Credit: This issue was discovered by Matt Gilman of the Apache NiFi
PMC during a code review.

References: https://nifi.apache.org/security.html

Mime
View raw message