Apache: >> Deltaspike Security Vulnerabilities
we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default.
CVSS Score
6.1
EPSS Score
0.009
Published
2020-03-19
The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-01-04