One70Six

**Name of the Vulnerable Software and Affected Versions** Apache Archiva versions 1.3.9 and earlier Apache Archiva versions prior to 2.2.1 **Description** A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary web script or HTML via the `connector.sourceRepoId` parameter to the "admin/addProxyConnector commit.action" API endpoint. **Recommendations** For Apache Archiva versions 1.3.9 and earlier, update to version 2.2.1 or later. For Apache Archiva versions prior to 2.2.1, update to version 2.2.1 or later. As a temporary workaround, consider restricting access to the `admin/addProxyConnector commit.action` API endpoint and avoiding use of the `connector.sourceRepoId` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Netty versions 3.6.x through 3.6.8 Netty versions 3.7.x through 3.7.0 Netty versions 3.8.x through 3.8.1 Netty versions 3.9.x through 3.9.0 Netty versions 4.0.x through 4.0.18 **Description** The issue allows remote attackers to cause a denial of service, resulting in memory consumption. This is achieved by sending a `TextWebSocketFrame` followed by a long stream of `ContinuationWebSocketFrames`. The `WebSocket08FrameDecoder` is the component affected by this issue. **Recommendations** For Netty versions 3.6.x through 3.6.8, update to version 3.6.9 or later. For Netty versions 3.7.x through 3.7.0, update to version 3.7.1 or later. For Netty versions 3.8.x through 3.8.1, update to version 3.8.2 or later. For Netty versions 3.9.x through 3.9.0, update to version 3.9.1 or later. For Netty versions 4.0.x through 4.0.18, update to version 4.0.19 or later.

**Name of the Vulnerable Software and Affected Versions** jQuery versions prior to 1.6.3 **Description** The issue is related to a lack of protection for the web page structure, allowing for the injection of arbitrary web scripts or HTML code. This can be exploited by a remote attacker to inject malicious code via a crafted tag, specifically when using location.hash to select elements. **Recommendations** For jQuery versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of location.hash to select elements until a patch is applied. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation.