CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability

2012-07-09T00:00:00
ID SECURITYVULNS:DOC:28259
Type securityvulns
Reporter Securityvulns
Modified 2012-07-09T00:00:00

Description

Severity: important

Vendor: The Apache Software Foundation

Versions Affected: Roller 4.0.0 to Roller 4.0.1 Roller 5.0 The unsupported Roller 3.1 release is also affected

Description: Roller trusts bloggers to post HTML and JavaScript code in the weblog and for some sites this can be a problem because users are untrusted and could post malicious code and exploit XSS. This issue has be addressed by added a new configiration property weblogAdminsUntrusted flag that, when set to 'true' will cause all weblog content to be HTML sanitized.

Mitigation Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1 Roller 5.0 users should upgrade to Roller 5.0.1 Roller 3.1 users should upgrade to Roller 5.0.1

Credit: This issue was discovered by Jun Zhu, PhD student, University of North Carolina, Charlotte