CVE-2018-8035

CWE-79 — Cross-site Scripting (XSS)CWE-400 — Uncontrolled Resource Consumption CWE-8359 documents6 sources

Severity

6.1MEDIUM

EPSS

3.6%

top 12.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Uimaducc Apache Apache Uima Ducc

Timeline

PublishedMay 1

Latest updateMay 14

Description

This vulnerability relates to the user's browser processing of DUCC webpage input data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.apache.uima:uima-ducc-web< 3.0.0

▶NVDapache/uimaducc2.2.2

▶CVEListV5apache/apache_uima_duccApache UIMA DUCC releases including and prior to 2.2.2

🔴Vulnerability Details

OSV

Cross-site Scripting in Apache UIMA↗2019-05-14

▶

GHSA

Cross-site Scripting in Apache UIMA↗2019-05-14

▶

CVEList

CVE-2018-8035: This vulnerability relates to the user's browser processing of DUCC webpage input data↗2019-05-01

▶

OSV

CVE-2018-8035: This vulnerability relates to the user's browser processing of DUCC webpage input data↗2019-05-01

▶

📋Vendor Advisories

Red Hat

libxml2: Infinite loop caused by incorrect error detection during LZMA decompression↗2018-04-03

▶

Red Hat

libxml2: infinite loop in xz_decomp function in xzlib.c↗2018-04-03

▶

💬Community

Bugzilla

CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression↗2018-08-22

▶

Bugzilla

CVE-2018-9251 libxml2: infinite loop in xz_decomp function in xzlib.c↗2018-04-09

▶