Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a7a38ea0-98f0-f98b-8608-ec6d84807238@apache.org>
Date: Wed, 06 Jul 2022 09:35:31 +0000
From: "Mark J. Cox" <mjc@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE
 issues 

Severity: moderate

Description:

** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF.  Setting the configuration option "xss.filter.post = true" may mitigate these issues.

NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.  

Credit:

Thanks to RunningSnail for reporting.

References:

https://lists.apache.org/thread/d3g248pr03x8rvmh8p2t3xdlw0wn5dz2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.