Apache Tiles: Unvalidated input may lead to path traversal and XXE

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

N/A

对路径名的限制不恰当(路径遍历)

Apache Tiles 输入验证错误漏洞

Apache Tiles是美国阿帕奇（Apache）基金会的一个JavaEE应用的页面布局框架。 Apache Tiles 2.0.0之前版存在输入验证错误漏洞，该漏洞源于在解析 XML 定义文件时，未在会话上验证设置为 DefaultLocaleResolver.LOCALE_KEY 属性的值，从而导致路径遍历，并最终在将用户控制的数据传递到此密钥时出现服务器请求伪造或xml外部实体攻击。

N/A

N/A