CVE-2017-15911 XSS with domain in setup-host-settings.jsp

Description

XSS reported to security@igniterealtime.org list regarding domain on setup page by Rajwinder Singh. A more detailed blog post exists as well. 

Environment

None

Attachments

1
  • 25 Oct 2017, 05:30 PM

Activity

Show:

Dave Cridland November 14, 2017 at 12:22 PM

This is a bit daft to list as a serious security problem. The setup pages are presumed to be a one-off path by a single administrative user - the only person they could be attacking via this XSS is therefore themselves.

In many respects, I'd rather work on securing the setup process rather than faff about with largely pointless "security" issues like this - on the other hand, it's a slam-dunk for cleaning up a CVE, so I'll close it.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Created October 25, 2017 at 5:30 PM
Updated November 16, 2017 at 9:36 PM
Resolved November 16, 2017 at 9:33 PM

Flag notifications