CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

From: Jan Lehnardt <jan@apache.org>
To: dev@couchdb.apache.org
Cc: user@couchdb.apache.org,security@couchdb.apache.org,security@apache.org,full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
Date:


CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache CouchDB 0.8.0 to 1.0.1

Description:
Apache CouchDB versions prior to version 1.0.2 are vulnerable to
cross site scripting (XSS) attacks.

Mitigation:
All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x
and 0.10.x series should be seamless. Users on earlier versions 
should consult http://wiki.apache.org/couchdb/Breaking_changes

Example:
Due to inadequate validation of request parameters and cookie data in
Futon, CouchDB's web-based administration UI, a malicious site can
execute arbitrary code in the context of a user's browsing session.

Credit:
This XSS issue was discovered by a source that wishes to stay 
anonymous.

References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_scripting

Jan Lehnardt
-- 





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.