CVE-2017-17837

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Deltaspike
Vendor: CVE Published:; 4 January 2018

Summary

The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1.

Affected Version(s)

Apache DeltaSpike 1.8.0

References

https://issues.apache.org/jira/browse/DELTASPIKE-1307

x_refsource_CONFIRM

https://git-wip-us.apache.org/repos/asf?p=deltaspike.git%...

x_refsource_CONFIRM

https://lists.apache.org/thread.html/r78565f0f4ecb4ad32a6...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 4, 2018
Vulnerability Reserved
Dec 22, 2017

.