'[oss-security] CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues
From:       "Mark J. Cox" <mjc () apache ! org>
Date:       2022-07-06 9:35:31
Message-ID: a7a38ea0-98f0-f98b-8608-ec6d84807238 () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user \
input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF.  Setting the \
configuration option "xss.filter.post = true" may mitigate these issues.

NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided \
for this issue.  

Credit:

Thanks to RunningSnail for reporting.

References:

https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic