[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-42466: Apache Isis: XSS vulnerability, eg for String properties.
From: Dan Haywood <danhaywood () apache ! org>
Date: 2022-10-19 6:02:33
Message-ID: CALJOYLFzKmL_qChvRV8iAcQBVuixtXr-_=50mPJynpUE5qSsHA () mail ! gmail ! com
[Download RAW message or body]
Severity: important
Description:
Prior to 2.0.0-M9, it was possible for an end-user to set the value of
an editable string property of a domain object to a value that would
be rendered unchanged when the value was saved. In particular, the
end-user could enter javascript or similar and this would be executed.
As of this release, the inputted strings are properly escaped when rendered.
Credit:
Apache Isis would like to thank Qing Xu for reporting this issue
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic