Hi all, I try to find out if this CVE-2020-13959 also affect the older Velocity 1.7 version.
> <groupId>org.apache.velocity</groupId> > <artifactId>velocity</artifactId> > <version>1.7</version> As we are using dependencies which require this old Velocity version. Unfortunately the CVE description on NVD is not clear about this. Furthermore I tried to check it by myself based on the GitHub repo, but was not successful. It would be very kind if someone could help me. Kind Regards, Michael On 2021/03/10 06:50:56, Will Glass-Husain <w...@gmail.com> wrote: > Description:> > > The default error page for VelocityView reflects back the vm file that> > was entered as part of the URL. An attacker can set an XSS payload> > file as this vm file in the URL which results in this payload being> > executed.> > > XSS vulnerabilities allow attackers to execute arbitrary JavaScript in> > the context of the attacked website and the attacked user. This can be> > abused to steal session cookies, perform requests in the name of the> > victim or for phishing attacks.> > > Mitigation:> > > Applications based on Apache Velocity Tools should upgrade to version> > 3.1. This version escapes the reflected text on the default error> > page, preventing potential javascript execution.> > > Credit:> > > This issue was reported and a patch was submitted by Jackson Henry,> > member of Sakura Samurai.> > > ---------------------------------------------------------------------> > To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org> > For additional commands, e-mail: user-h...@velocity.apache.org> > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@velocity.apache.org For additional commands, e-mail: user-h...@velocity.apache.org
