[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-42466: Apache Isis: XSS vulnerability, eg for String properties.
From:       Dan Haywood <danhaywood () apache ! org>
Date:       2022-10-19 6:02:33
Message-ID: CALJOYLFzKmL_qChvRV8iAcQBVuixtXr-_=50mPJynpUE5qSsHA () mail ! gmail ! com
[Download RAW message or body]

Severity: important

Description:

Prior to 2.0.0-M9, it was possible for an end-user to set the value of
an editable string property of a domain object to a value that would
be rendered unchanged when the value was saved.  In particular, the
end-user could enter javascript or similar and this would be executed.

As of this release, the inputted strings are properly escaped when rendered.

Credit:

Apache Isis would like to thank Qing Xu for reporting this issue
[prev in list] [next in list] [prev in thread] [next in thread]