CVE-ID: CVE-2011-1077 Risk Level: Low Published Date: 2011-06-04 Affected Software: Apache Archiva Affected Versions: 1.3.0 - 1.3.4 (Unsupported versions 1.0 - 1.2.2 are also affected) Vulnerability Type: Multiple XSS (Cross-Site Scripting) CVSS Base Score: 4.3/10 Exploit Range: Remote Description: The multiple XSS issues found are both Stored (Persistent) and Reflected (Non-Persistent). JavaScript which might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed. Mitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5 References: - http://archiva.apache.org/security.html - http://xforce.iss.net/xforce/xfdb/67672 - http://www.securityfocus.com/bid/48011 - http://www.securityfocus.com/archive/1/archive/1/518167/100/0/threaded - http://securiteam.com/advisories/44693 - http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0531.html - http://archiva.apache.org/security.html - http://archiva.apache.org/docs/1.3.5/release-no2000tes.html