CVE-2016-4003

Name of the Vulnerable Software and Affected Versions Java Runtime Environment versions prior to 1.8 Java Development Kit versions prior to 1.8

Description The issue is related to the implementation of the URLDecoder class in Java Runtime Environment and Java Development Kit, specifically when using single-byte page encoding. This allows a remote attacker to conduct cross-site scripting attacks by injecting arbitrary web script or HTML via multi-byte characters in a URL-encoded parameter.

Recommendations For Java Runtime Environment versions prior to 1.8, update to version 1.8 or later to resolve the issue. For Java Development Kit versions prior to 1.8, update to version 1.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the URLDecoder function until a patch is available. Avoid using multi-byte characters in URL-encoded parameters for the affected versions.