Date: Wed, 06 Jul 2022 09:35:31 +0000 From: "Mark J. Cox" <mjc@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues Severity: moderate Description: ** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue. Credit: Thanks to RunningSnail for reporting. References: https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.