[MAVEN:GHSA-QW4H-3XJJ-84CC] Apache Tiles: Unvalidated input may lead to path traversal and XXE
Severity
High
Affected Packages
1
CVEs
1
The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.
This issue affects Apache Tiles from version 2 onwards.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Package | Affected Version |
---|---|
pkg:maven/org.apache.tiles/tiles-core | >= 2.0.0 |
- ID
- MAVEN:GHSA-QW4H-3XJJ-84CC
- Severity
- high
- URL
- https://github.com/advisories/GHSA-qw4h-3xjj-84cc
- Published
-
2023-12-01T00:31:00
(9 months ago) - Modified
-
2023-12-11T21:45:44
(9 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.apache.tiles/tiles-core | org.apache.tiles | tiles-core | >= 2.0.0 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |