Source: velocity-tools Version: 2.0-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for velocity-tools. CVE-2020-13959[0]: | The default error page for VelocityView in Apache Velocity Tools prior | to 3.1 reflects back the vm file that was entered as part of the URL. | An attacker can set an XSS payload file as this vm file in the URL | which results in this payload being executed. XSS vulnerabilities | allow attackers to execute arbitrary JavaScript in the context of the | attacked website and the attacked user. This can be abused to steal | session cookies, perform requests in the name of the victim or for | phishing attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13959 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13959 [1] https://www.openwall.com/lists/oss-security/2021/03/10/2 Regards, Salvatore
