Adding the correct [email protected] list. Yusaku
From: Yusaku Sako Date: Monday, October 12, 2015 at 6:34 PM To: Mark Kerzner, Yosef Kerzner, "[email protected]<mailto:[email protected]>", "[email protected]<mailto:[email protected]>", "[email protected]<mailto:[email protected]>", "[email protected]<mailto:[email protected]>", "[email protected]<mailto:[email protected]>" Subject: [CVE-2015-3186] Apache Ambari XSS vulnerability CVE-2015-3186: Apache Ambari XSS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.7.0 to 2.0.2 Versions Fixed: 2.1.0 Description: Ambari allows authenticated cluster operator users to specify arbitrary text as a note when saving configuration changes. This note field is rendered as is (unescaped HTML). This exposes opportunities for XSS. Mitigation: Ambari users should upgrade to version 2.1.0 or above. Version 2.1.0 onwards properly HTML-escapes the note field associated with configuration changes. Credit: Hacker Y on the Elephant Scale team. References: https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities
