Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability

From: Dave (snoopdavegmail.com)
Date: Sun Jun 24 2012 - 12:03:27 CDT

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0
The unsupported Roller 3.1 release is also affected

Roller trusts bloggers to post HTML and JavaScript code in the weblog
and for some sites this can be a problem because users are untrusted
and could post malicious code and exploit XSS. This issue has be
addressed by added a new configiration property weblogAdminsUntrusted
flag that, when set to 'true' will cause all weblog content to be HTML

Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1
Roller 5.0 users should upgrade to Roller 5.0.1
Roller 3.1 users should upgrade to Roller 5.0.1

This issue was discovered by Jun Zhu, PhD student, University of North
Carolina, Charlotte

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/