Vulnerability Description
The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Deltaspike | 1.8.0 |
Related Weaknesses (CWE)
References
- https://git-wip-us.apache.org/repos/asf?p=deltaspike.git%3Bh=4e25023
- https://issues.apache.org/jira/browse/DELTASPIKE-1307ExploitIssue TrackingPatch
- https://lists.apache.org/thread.html/r17b326c0eb35d8c71c84c171eda83e3e1f011dc757
- https://lists.apache.org/thread.html/r78565f0f4ecb4ad32a6c405b45b9ee568dfc4729ba
- https://git-wip-us.apache.org/repos/asf?p=deltaspike.git%3Bh=4e25023
- https://issues.apache.org/jira/browse/DELTASPIKE-1307ExploitIssue TrackingPatch
- https://lists.apache.org/thread.html/r17b326c0eb35d8c71c84c171eda83e3e1f011dc757
- https://lists.apache.org/thread.html/r78565f0f4ecb4ad32a6c405b45b9ee568dfc4729ba
FAQ
What is CVE-2017-17837?
CVE-2017-17837 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limite...
How severe is CVE-2017-17837?
CVE-2017-17837 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17837?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Deltaspike.