You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by Jan Lehnardt <ja...@apache.org> on 2011/01/28 22:22:45 UTC

CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache CouchDB 0.8.0 to 1.0.1

Description:
Apache CouchDB versions prior to version 1.0.2 are vulnerable to
cross site scripting (XSS) attacks.

Mitigation:
All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x
and 0.10.x series should be seamless. Users on earlier versions 
should consult http://wiki.apache.org/couchdb/Breaking_changes

Example:
Due to inadequate validation of request parameters and cookie data in
Futon, CouchDB's web-based administration UI, a malicious site can
execute arbitrary code in the context of a user's browsing session.

Credit:
This XSS issue was discovered by a source that wishes to stay 
anonymous.

References:
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://en.wikipedia.org/wiki/Cross-site_scripting

Jan Lehnardt
--