Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-74

Cross-site scripting vulnerabilities

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.1.0
    • Admin UI
    • None

    Description

      There are a number of cross-site scripting vulnerabilities in the Solr admin JSP pages, wherever data is being re-displayed as typed by the user.

      For example, in analysis.jsp: <textarea class="std" rows="1" cols="70" name="qval"><%= qval %></textarea>

      These need to be modified to HTML escape the values rather than directly outputting the exact values.

      The other affected JSP pages: action.jsp and get-file.jsp

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            hossman Chris M. Hostetter
            ehatcher Erik Hatcher
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment