XSS injection from URL parameter
05 May 2015
An XSS vulnerability has been found in Play’s URL rendering.
Any application that uses Play’s URL rendering.
- Play 1.2.0 - 1.2.7
- Play 1.3.0
Encode parameter before using it,
Upgrade to the appropriate version below:
CVSS metrics (more info)
- Base: 5.8
- Temporal: 4.5
- Environmental: 4.2
Environmental scores are assuming typical internet systems. Actual environmental scores for your organisation may differ.
Credit for finding this vulnerability goes to Ricardo Martín from ElevenPaths.