Apache Roller q Parameter XSS

This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a Java web application that is affected
by a cross-site scripting vulnerability.

Description :

The remote host is running Apache Roller, a multi-user blog server
written in Java.

The version of Apache Roller installed on the remote host fails to
sanitize user input to the 'q' parameter of search requests before
including it in dynamic HTML output. An attacker may be able to
leverage this issue to inject arbitrary HTML and script code into a
user's browser to be executed within the security context of the
affected site.

See also :

http://www.nessus.org/u?75c214e4

Solution :

Apply the code fix referenced in revision 668737 from the Subversion
repository.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 35299 (apache_roller_q_xss.nasl)

Bugtraq ID: 33110

CVE ID: CVE-2008-6879