Donald Kwakkel created CMIS-938:
-----------------------------------
Summary: Cross-Site Scripting: Reflected Vulnerability in index.jsp
Key: CMIS-938
URL: https://issues.apache.org/jira/browse/CMIS-938
Project: Chemistry
Issue Type: Bug
Components: opencmis-client
Affects Versions: OpenCMIS 0.13.0
Reporter: Donald Kwakkel
The method _jspService() in index.jsp sends unvalidated data to a web browser
on line 131, which can result in the browser executing malicious code.
Explanation:
Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web application through an untrusted source. In the case of
Reflected XSS, the untrusted source is typically a web request, while in the
case of Persisted (also known as Stored) XSS it is typically a database or
other back-end datastore.
In this case the data enters at getHeader() in
ProxyHttpServletRequestWrapper.java at line 41.
2. The data is included in dynamic content that is sent to a web user without
being validated.
In this case the data is sent at println() in index.jsp at line 131.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
