You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Larry McCay <lm...@apache.org> on 2022/01/17 17:48:28 UTC
CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox
Severity: moderate
Description:
When using Knox SSO in affected releases, a request could be crafted to
redirect a user to a malicious page due to improper URL parsing.
A request that included a specially crafted
request parameter could be used to redirect the user to a page controlled
by an attacker. This URL would need to be presented to the user outside
the normal request flow through a XSS or phishing campaign.
Mitigation:
1.x users should upgrade to 1.6.1.
Unsupported versions of the 0.x line that include this issue are: 0.13.0, 0.14.0.
and these should upgrade to 1.6.1 as well.
1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to 1.6.1.
Credit:
Apache Knox would like to thank Kajetan Rostojek for this report
[#KST-695-12574]: CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox
Posted by AARDEX Group <in...@medamigo.com>.
Hello,
Thank you for your interest in AARDEX Group products and services. We are processing your inquiry and a member of our staff will review and reply shortly.
If you have any additional information that you think will help us to assist you, please feel free to reply to this email.
AARDEX Team
https://www.aardexgroup.com
CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox
Posted by larry mccay <lm...@apache.org>.
Severity: moderate
Description:
When using Knox SSO in affected releases, a request could be crafted to
redirect a user to a malicious page due to improper URL parsing.
A request that included a specially crafted
request parameter could be used to redirect the user to a page controlled
by an attacker. This URL would need to be presented to the user outside
the normal request flow through a XSS or phishing campaign.
Mitigation:
1.x users should upgrade to 1.6.1.
Unsupported versions of the 0.x line that include this issue are: 0.13.0,
0.14.0.
and these should upgrade to 1.6.1 as well.
1.0.0 and 1.1.0 are also Unsupported but affected and should upgrade to
1.6.1.
Credit:
Apache Knox would like to thank Kajetan Rostojek for this report