[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2018-8031 Apache TomEE Webapp XSS
From:       Jonathan Gallimore <jgallimore () apache ! org>
Date:       2018-07-23 20:03:52
Message-ID: CAGRgoZhO_hrOg3OF8=hs6j5KsRR68mmQDk0rChQ+jPvEN95x3g () mail ! gmail ! com
[Download RAW message or body]


CVE-2018-8031 Apache TomEE Webapp XSS

Severity: Low

Vendor: The Apache Software Foundation

Description:
The TomEE console (tomee-webapp) has a XSS vulnerability which could allow
javascript to be executed if the user is given a malicious URL. This web
application is typically used to add TomEE features to a Tomcat
installation. The TomEE bundles do not ship with this application included.

Mitigation:
This issue can be mitigated by removing the application after TomEE is
setup (if using the application to install TomEE), using one of the
provided pre-configured bundles, or by upgrading to TomEE 7.0.5.

This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f8
4e47579863

Credit: Many thanks to Man Yue Mo from Semmle for reporting this issue.


[prev in list] [next in list] [prev in thread] [next in thread]