Home page logo
/

bugtraq logo Bugtraq mailing list archives

CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability
From: Dave <snoopdave () gmail com>
Date: Sun, 24 Jun 2012 13:03:27 -0400

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0
The unsupported Roller 3.1 release is also affected

Description:
Roller trusts bloggers to post HTML and JavaScript code in the weblog
and for some sites this can be a problem because users are untrusted
and could post malicious code and exploit XSS. This issue has be
addressed by added a new configiration property weblogAdminsUntrusted
flag that, when set to 'true' will cause all weblog content to be HTML
sanitized.

Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1
Roller 5.0 users should upgrade to Roller 5.0.1
Roller 3.1 users should upgrade to Roller 5.0.1

Credit:
This issue was discovered by Jun Zhu, PhD student, University of North
Carolina, Charlotte


  By Date           By Thread  

Current thread:
  • CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability Dave (Jun 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]