You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Jacob Janco (JIRA)" <ji...@apache.org> on 2017/01/18 23:35:26 UTC

[jira] [Commented] (MESOS-6947) Fix pailer XSS vulnerability

    [ https://issues.apache.org/jira/browse/MESOS-6947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15828978#comment-15828978 ] 

Jacob Janco commented on MESOS-6947:
------------------------------------

https://reviews.apache.org/r/55691

> Fix pailer XSS vulnerability
> ----------------------------
>
>                 Key: MESOS-6947
>                 URL: https://issues.apache.org/jira/browse/MESOS-6947
>             Project: Mesos
>          Issue Type: Improvement
>          Components: webui
>            Reporter: Jacob Janco
>            Assignee: Jacob Janco
>
> There exists a XSS vulnerability in pailer.html.
> `window.name` can be set to an external domain serving js which is wrapped in `<script>` tags by the `getJSON` async call. A detailed example will follow acceptance of the patch. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)