oss-sec mailing list archives
CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox
From: Larry McCay <lmccay () apache org>
Date: Mon, 17 Jan 2022 17:48:28 +0000
Severity: moderate Description: When using Knox SSO in affected releases, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be presented to the user outside the normal request flow through a XSS or phishing campaign. Mitigation: 1.x users should upgrade to 1.6.1. Unsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0. and these should upgrade to 1.6.1 as well. 1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1. Credit: Apache Knox would like to thank Kajetan Rostojek for this report
Current thread:
- CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox Larry McCay (Jan 17)