struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vincent Danen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values
Date Tue, 15 Sep 2009 13:13:33 GMT

    [ https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46748#action_46748
] 

Vincent Danen commented on STR-3191:
------------------------------------

Great.  Can you let me know when this is applied to trunk so we know upstream is using it
and then can start working on our own packages?  That would be very much appreciated.  Thanks!

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via unspecified vectors
related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message