Lucene search

Veracode Vulnerability DatabaseVERACODE:29661

HistoryMar 11, 2021 - 1:48 a.m.

Cross-site Scripting (XSS)

2021-03-1101:48:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

velocity-tools-view

vulnerability

malicious script

user-provided file

error page

EPSS

0.007

Percentile

81.0%

JSON

velocity-tools-view is vulnerable cross-site scripting (XSS). An attacker is able to inject and execute malicious script in a user’s browser as it does not escape a user-provided vm file as part of the URL which displayed in the error page.

References

www.openwall.com/lists/oss-security/2021/03/10/2

github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152

lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3%40%3Cuser.velocity.apache.org%3E

lists.apache.org/thread.html/r6802a38c3041059e763a1aadd7b37fe95de75408144b5805e29b84e3@%3Cuser.velocity.apache.org%3E

lists.apache.org/thread.html/r97edad0655770342d2d36620fb1de50b142fcd6c4f5c53dd72ca41d7@%3Cuser.velocity.apache.org%3E

lists.apache.org/thread.html/rb042f3b0090e419cc9f5a3d32cf0baff283ccd6fcb1caea61915d6b6@%3Ccommits.velocity.apache.org%3E

lists.apache.org/thread.html/rf9868c564cff7adfd5283563f2309b93b3e496354a211a57503b2f72@%3Cannounce.apache.org%3E

lists.debian.org/debian-lts-announce/2021/03/msg00021.html

security.gentoo.org/glsa/202107-52