[
https://issues.apache.org/jira/browse/TIKA-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16785101#comment-16785101
]
Tim Allison commented on TIKA-2829:
-----------------------------------
Thank you for the link. Can you put together an example input file, run it
through Tika and point out the problematic parts. We do quite a bit before the
entities get to boilerpipe...I’m not yet convinced from the report that this
affects us. I’m completely willing to believe it does, though, with a concrete
example. Thank you!
> Security Vulnerability in boilerpipe (CVE-2018-16481)
> -----------------------------------------------------
>
> Key: TIKA-2829
> URL: https://issues.apache.org/jira/browse/TIKA-2829
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.20
> Reporter: Alex LI
> Priority: Major
>
> org.apache.tika:tika-parsers:1.20 depending on boilerpipe, which the
> dependency reflections uses.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-16481]
> h3. Current Description
> A XSS vulnerability was found in html-page <=2.1.1 that allows malicious
> Javascript code to be executed in the user's browser due to the absence of
> sanitization of the paths before rendering.
> ==========================
> [info] de.l3s.boilerpipe:boilerpipe:1.1.0
> [info] +-org.apache.tika:tika-parsers:1.20
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
