This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch fix/new-cves in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit 715e446055a9d4f38688733e12030fec1d5ffbde Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Apr 10 14:13:14 2026 +0200 fix: typos in _vulnerabilities.adoc --- src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index f9158ae0..6ab5ffc2 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -37,7 +37,7 @@ For brevity, mathematical interval notation is used, with the union operator (` |Summary |Missing TLS hostname verification in Socket appender |CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N) |Components affected |Log4j Core -|Versions affected |`[2.0-beta9, 2.25.3)` +|Versions affected |`[2.0-beta9, 2.25.3) ∪ [3.0.0-alpha1, 3.0.0-beta3]Ba` |Versions fixed |`2.25.3` |=== @@ -128,7 +128,7 @@ This issue was discovered and remediated with support from the Sovereign Tech Ag === Description When using `HTMLLayout`, logger names are not properly escaped when writing out to the HTML file. -If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. +If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or JavaScript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use `HTMLLayout`.
