You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Dave Brondsema <br...@apache.org> on 2019/06/18 14:55:30 UTC

CVE-2019-10085 Apache Allura XSS vulnerability

CVE-2019-10085 Apache Allura XSS vulnerability in ticket user dropdown selector

Severity: Important
Versions Affected: 1.10.0 and earlier

Description:
A vulnerability exists for stored XSS on the user dropdown selector when
creating or editing tickets.  The XSS executes when a user engages with that
dropdown on that page.

Mitigation:
Users of Allura should upgrade to Allura 1.11.0 immediately.

Credit:
This issue was discovered by Bob "Wombat" Hogg