Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.1, 1.2
-
Security Level: public (Regular issues)
-
None
-
Patch Available
Description
Oliver Karow has reported a cross-site scripting vulnerability in the Tomcat jsp-examples that are included in Geronimo. It fails on both Jetty and Tomcat.
This can be reproduced with the following urls:
http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert('Gotcha')</script>
http://localhost:8080/jsp-examples/cal/cal2.jsp?time="/><script>alert(document.cookie)</script>
This JIRA does not address a related problem in the admin console. That problem is addressed in GERONIMO-1474.