You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomee.apache.org by Jonathan Gallimore <jg...@apache.org> on 2018/07/23 19:58:40 UTC

CVE-2018-8031 Apache TomEE Webapp XSS

CVE-2018-8031 Apache TomEE Webapp XSS

Severity: Low

Vendor: The Apache Software Foundation

Description:
The TomEE console (tomee-webapp) has a XSS vulnerability which could allow
javascript to be executed if the user is given a malicious URL. This web
application is typically used to add TomEE features to a Tomcat
installation. The TomEE bundles do not ship with this application included.

Mitigation:
This issue can be mitigated by removing the application after TomEE is
setup (if using the application to install TomEE), using one of the
provided pre-configured bundles, or by upgrading to TomEE 7.0.5.

This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f8
4e47579863

Credit: Many thanks to Man Yue Mo from Semmle for reporting this issue.