Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Oct 2022 07:02:33 +0100
From: Dan Haywood <>
Subject: CVE-2022-42466: Apache Isis: XSS vulnerability, eg for String properties.

Severity: important


Prior to 2.0.0-M9, it was possible for an end-user to set the value of
an editable string property of a domain object to a value that would
be rendered unchanged when the value was saved.  In particular, the
end-user could enter javascript or similar and this would be executed.

As of this release, the inputted strings are properly escaped when rendered.


Apache Isis would like to thank Qing Xu for reporting this issue

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.