[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY] CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue

To: announce@xxxxxxxxxx
Subject: [SECURITY] CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue
From: Joe Witt <joewitt@xxxxxxxxxx>
Date: Mon, 16 Jan 2017 14:25:13 -0500

CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache NiFi 1.0.0
Apache NiFi 1.1.0

Description: There is a cross-site scripting vulnerability in
connection details dialog when accessed by an authorized user. The
user supplied text was not be properly handled when added to the DOM.

Mitigation:
1.0.0 users should upgrade to 1.0.1 or 1.1.1.
1.1.0 users should upgrade to 1.1.1.  Additional migration guidance
can be found 
https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance.

Credit: This issue was discovered by Matt Gilman of the Apache NiFi
PMC during a code review.

References: https://nifi.apache.org/security.html

Prev by Date: [SECURITY] [DSA 3743-2] python-bottle regression update
Next by Date: ESA-2016-143: EMC Documentum Webtop and Clients Stored Cross-Site Scripting Vulnerability
Previous by thread: [SECURITY] [DSA 3743-2] python-bottle regression update
Next by thread: ESA-2016-143: EMC Documentum Webtop and Clients Stored Cross-Site Scripting Vulnerability
Index(es):
- Date
- Thread