Cross-site Scripting (XSS) Affecting org.apache.deltaspike.modules:jsf-module-project package, versions [,1.8.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.35% (80th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEDELTASPIKEMODULES-32046
  • published31 Jan 2018
  • disclosed20 Dec 2017
  • creditMarkus Drenger

Introduced: 20 Dec 2017

CVE-2017-17837  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade org.apache.deltaspike.modules:jsf-module-project to version 1.8.1 or higher.

Overview

org.apache.deltaspike.modules:jsf-module-project is a suite of portable CDI Extensions intended to make application development easier when working with CDI and Java EE.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to an insufficient escaping of special characters in the windowId handler. The default size of the windowId get's cut off after 10 characters (by default), so the impact is limited.

Details

CVSS Base Scores

version 3.1