Velocity Tools XSS Vulnerability

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Iteris Apache Velocity 跨站脚本漏洞

Iteris Apache Velocity是美国 （Iteris）公司的一个应用软件。用于创建和维护与Apache Velocity Engine相关的开源软件功能。 Apache Velocity 3.1 存在安全漏洞，攻击者可利用该漏洞窃取会话cookie，以受害者的名义执行请求或进行网络钓鱼攻击。

N/A

N/A