Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 5 Aug 2013 00:56:40 -0400 (EDT)
From: David Jorm <djorm@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE request: XSS in Google Web Toolkit (GWT)

I note that with the release of Google Web Toolkit (GWT) 2.5.1, a security flaw has been resolved:

http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1 ("Security Fixes")

The release notes state:
Fixed an XSS vulnerability in html files used by GWTTestCase (patch). These files will only be included in a GWT app if it depends on the JUnit module. Despite the fix, this is not recommended.

The patch is here:
https://code.google.com/p/google-web-toolkit/source/detail?r=11385

I have reproduced this flaw and can confirm it is reflected XSS. I have previously contacted security@...gle asking for CVE IDs for GWT flaws, but never received a response. Please assign a CVE ID to this flaw.

Thanks
-- 
David Jorm / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.