A hand-crafted JSONP callback and response can be used to run arbitrary code inside client-side browsers via Adobe Flash in Apache CouchDB versions up to and including 1.0.3, 1.1.1, and 1.2.0.
5a2dd81bafd715b2feba5ff5376839517a8c160f8e3cf3ca974c5d881e77a6d6
Apache CouchDB versions up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable to a DOM based cross site scripting issue.
c4a4d0ab65eac5dc5149ee6760f776cab2bbc0d6b3d641a0e367abd408c3dd9f
Apache CouchDB versions up to and including 1.0.3, 1.1.1, and 1.2.0 are vulnerable to an information disclosure vulnerability via unescaped backslashes in URLs on Windows.
695edda9ff914489aa4029a5b2464d213b6047fda517767aad52f0a0fcaa41c1
Apache CouchDB versions 0.8.0 through 1.0.1 suffer from a cross site scripting vulnerability.
aec2effc07ba1f9df510a896ba42a83ba1b28cab85adc9b70e9e09f59b56c267
Apache CouchDB versions prior to version 0.11.1 are vulnerable to cross site request forgery (CSRF) attacks. A malicious website can POST arbitrary JavaScript code to well known CouchDB installation URLs (like http://localhost:5984/) and make the browser execute the injected JavaScript in the security context of CouchDB's admin interface Futon.
8d09452fd99f2a9bde805d6d65592ab8d21f59caa9061c042dfef6dc38b7b5e5