17.3. CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue
Date: |
---|
28.01.2011 |
Affected: |
——- |
Apache CouchDB 0.8.0 to 1.0.1 |
Severity: |
——- |
Important |
Vendor: |
——- |
The Apache Software Foundation |
17.3.1. Description
Apache CouchDB versions prior to version 1.0.2 arevulnerable to Cross Site Scripting (XSS) attacks.
17.3.2. Mitigation
All users should upgrade to CouchDB 1.0.2.
Upgrades from the 0.11.x and0.10.x series should be seamless.
Users on earlier versions should consult with upgrade notes.
17.3.3. Example
Due to inadequate validation of request parameters and cookie data in Futon,CouchDB’s web-based administration UI, a malicious site can execute arbitrarycode in the context of a user’s browsing session.
17.3.4. Credit
This XSS issue was discovered by a source that wishes to stay anonymous.