PT-2018-6576 · Apache · Apache Deltaspike-Jsf

Published

2018-01-04

Updated

2022-05-13

CVE-2017-17837

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Apache DeltaSpike-JSF version 1.8.0

Description: The issue is related to a XSS injection leak in the windowId handling. By default, the windowId size gets cut off after 10 characters, which might limit the impact. A fix has been applied and released in Apache DeltaSpike-JSF 1.8.1.

Recommendations: For Apache DeltaSpike-JSF version 1.8.0, update to Apache DeltaSpike-JSF 1.8.1 to resolve the issue. As a temporary workaround, consider restricting the use of the windowId handling until the update is applied.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-17837

GHSA-4Q23-G7MF-XP98

Affected Products

Apache Deltaspike-Jsf

PT-2018-6576 · Apache · Apache Deltaspike-Jsf

CVE-2017-17837

Weakness Enumeration

Related Identifiers

Affected Products

References · 13