oss-sec mailing list archives
CVE request: resin: Cross site scripting
From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 11 Jun 2013 11:10:31 +0200
From the secunia advisory SA53749 [1]: Description Gjoko Krstic has discovered a vulnerability in Caucho Resin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input appended to the URL after /resin-admin/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 4.0.36. Other versions may also be affected. Solution No official solution is currently available. Provided and/or discovered by Gjoko Krstic (LiquidWorm) Original Advisory ZSL-2013-5143: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php [1]: https://secunia.com/advisories/53749/ The original advisory contains a poc.
Current thread:
- CVE request: resin: Cross site scripting Agostino Sarubbo (Jun 11)
- Re: CVE request: resin: Cross site scripting Kurt Seifried (Jun 13)