[Full-disclosure] CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
- From: Jan Lehnardt <jan@xxxxxxxxxx>
- Date: Fri, 28 Jan 2011 22:22:45 +0100
CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
The Apache Software Foundation
Apache CouchDB 0.8.0 to 1.0.1
Apache CouchDB versions prior to version 1.0.2 are vulnerable to
cross site scripting (XSS) attacks.
All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x
and 0.10.x series should be seamless. Users on earlier versions
should consult http://wiki.apache.org/couchdb/Breaking_changes
Due to inadequate validation of request parameters and cookie data in
Futon, CouchDB's web-based administration UI, a malicious site can
execute arbitrary code in the context of a user's browsing session.
This XSS issue was discovered by a source that wishes to stay
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] TELUS Security Labs VR - Symantec Antivirus Intel Alert Handler Service Denial of Service
- Next by Date: Re: [Full-disclosure] sourceforge entry point seems still active.
- Previous by thread: [Full-disclosure] TELUS Security Labs VR - Symantec Antivirus Intel Alert Handler Service Denial of Service
- Next by thread: [Full-disclosure] [SECURITY] [DSA-2154-1] exim4 security update