'[oss-security] [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS
From:       Martin <martin_s () apache ! org>
Date:       2019-04-30 15:18:58
Message-ID: 2048242.ks9QkeOCCd () golgafrichnam
[Download RAW message or body]

CVE-2019-0213: Apache Archiva Stored XSS

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
    Apache Archiva 2.0.0 - 2.2.3
    The unsupported versions 1.x are also affected.  

It may be possible to store malicious XSS code into central configuration entries, i.e. the \
logo URL.  The vulnerability is considered as minor risk, as only users with admin role can \
change the configuration, or the communication  between the browser and the Archiva server must \
be compromised. 

Mitigation:
  All users are recommended to upgrade to Archiva 2.2.4 or higher, 

References:
http://archiva.apache.org/security.html#CVE-2019-0213

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic