Source: log4cxx Version: 1.4.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/apache/logging-log4cxx/pull/509 https://github.com/apache/logging-log4cxx/pull/514 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.0.0-1
Hi, The following vulnerability was published for log4cxx. CVE-2025-54812[0]: | Improper Output Neutralization for Logs vulnerability in Apache | Log4cxx. When using HTMLLayout, logger names are not properly | escaped when writing out to the HTML file. If untrusted data is used | to retrieve the name of a logger, an attacker could theoretically | inject HTML or Javascript in order to hide information from logs or | steal data from the user. In order to activate this, the following | sequence must occur: * Log4cxx is configured to use | HTMLLayout. * Logger name comes from an untrusted string * | Logger with compromised name logs a message * User opens the | generated HTML log file in their browser, leading to potential XSS | Because logger names are generally constant strings, we assess the | impact to users as LOW This issue affects Apache Log4cxx: before | 1.5.0. Users are recommended to upgrade to version 1.5.0, which | fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54812 https://www.cve.org/CVERecord?id=CVE-2025-54812 [1] https://logging.apache.org/security.html#CVE-2025-54812 [2] https://github.com/apache/logging-log4cxx/pull/509 [3] https://github.com/apache/logging-log4cxx/commit/1c599de956ae9eedd8b5e3f744bfb867c39e8bba [4] https://github.com/apache/logging-log4cxx/pull/514 [5] https://github.com/apache/logging-log4cxx/commit/36d829e9f6c3f9f4f9a42e22df326a9ed7b6e373 Regards, Salvatore
