CVE-2017-15911 XSS with domain in setup-host-settings.jsp

Description

XSS reported to security@igniterealtime.org list regarding domain on setup page by Rajwinder Singh. A more detailed blog post exists as well. 

Environment

None

Activity

Show:
Dave Cridland
November 14, 2017, 12:22 PM

This is a bit daft to list as a serious security problem. The setup pages are presumed to be a one-off path by a single administrative user - the only person they could be attacking via this XSS is therefore themselves.

In many respects, I'd rather work on securing the setup process rather than faff about with largely pointless "security" issues like this - on the other hand, it's a slam-dunk for cleaning up a CVE, so I'll close it.

Fixed

Assignee

Dave Cridland

Reporter

Daryl Herzmann

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure