16.3. CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue

Date:28.01.2011
Affected:Apache CouchDB 0.8.0 to 1.0.1
Severity:Important
Vendor:The Apache Software Foundation

16.3.1. Description

Apache CouchDB versions prior to version 1.0.2 are vulnerable to Cross Site Scripting (XSS) attacks.

16.3.2. Mitigation

All users should upgrade to CouchDB 1.0.2.

Upgrades from the 0.11.x and 0.10.x series should be seamless.

Users on earlier versions should consult with upgrade notes.

16.3.3. Example

Due to inadequate validation of request parameters and cookie data in Futon, CouchDB’s web-based administration UI, a malicious site can execute arbitrary code in the context of a user’s browsing session.

16.3.4. Credit

This XSS issue was discovered by a source that wishes to stay anonymous.