[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
From: Jan Lehnardt <jan () apache ! org>
Date: 2011-01-28 21:22:45
Message-ID: C840F655-C8C5-4EC6-8AA8-DD223E39C34A () apache ! org
[Download RAW message or body]
CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache CouchDB 0.8.0 to 1.0.1
Description:
Apache CouchDB versions prior to version 1.0.2 are vulnerable to
cross site scripting (XSS) attacks.
Mitigation:
All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x
and 0.10.x series should be seamless. Users on earlier versions
should consult http://wiki.apache.org/couchdb/Breaking_changes
Example:
Due to inadequate validation of request parameters and cookie data in
Futon, CouchDB's web-based administration UI, a malicious site can
execute arbitrary code in the context of a user's browsing session.
Credit:
This XSS issue was discovered by a source that wishes to stay
anonymous.
References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_scripting
Jan Lehnardt
--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic