oss-sec mailing list archives
CVE-2018-8031 Apache TomEE Webapp XSS
From: Jonathan Gallimore <jgallimore () apache org>
Date: Mon, 23 Jul 2018 21:03:52 +0100
CVE-2018-8031 Apache TomEE Webapp XSS Severity: Low Vendor: The Apache Software Foundation Description: The TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles do not ship with this application included. Mitigation: This issue can be mitigated by removing the application after TomEE is setup (if using the application to install TomEE), using one of the provided pre-configured bundles, or by upgrading to TomEE 7.0.5. This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f8 4e47579863 Credit: Many thanks to Man Yue Mo from Semmle for reporting this issue.
Current thread:
- CVE-2018-8031 Apache TomEE Webapp XSS Jonathan Gallimore (Jul 23)