tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Gallimore <jgallim...@apache.org>
Subject CVE-2018-8031 Apache TomEE Webapp XSS
Date Mon, 23 Jul 2018 19:58:40 GMT
CVE-2018-8031 Apache TomEE Webapp XSS

Severity: Low

Vendor: The Apache Software Foundation

Description:
The TomEE console (tomee-webapp) has a XSS vulnerability which could allow
javascript to be executed if the user is given a malicious URL. This web
application is typically used to add TomEE features to a Tomcat
installation. The TomEE bundles do not ship with this application included.

Mitigation:
This issue can be mitigated by removing the application after TomEE is
setup (if using the application to install TomEE), using one of the
provided pre-configured bundles, or by upgrading to TomEE 7.0.5.

This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f8
4e47579863

Credit: Many thanks to Man Yue Mo from Semmle for reporting this issue.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message