CVE-2010-3854: Apache CouchDB Cross Site Scripting Issue Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache CouchDB 0.8.0 to 1.0.1 Description: Apache CouchDB versions prior to version 1.0.2 are vulnerable to cross site scripting (XSS) attacks. Mitigation: All users should upgrade to CouchDB 1.0.2. Upgrades from the 0.11.x and 0.10.x series should be seamless. Users on earlier versions should consult http://wiki.apache.org/couchdb/Breaking_changes Example: Due to inadequate validation of request parameters and cookie data in Futon, CouchDB's web-based administration UI, a malicious site can execute arbitrary code in the context of a user's browsing session. Credit: This XSS issue was discovered by a source that wishes to stay anonymous. References: http://couchdb.apache.org/downloads.html http://wiki.apache.org/couchdb/Breaking_changes http://en.wikipedia.org/wiki/Cross-site_scripting Jan Lehnardt --