Community
Participate
Working Groups
This is an informational CVE only. --- The server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CVE Risk: XSS Versions affected: 9.2.26 and older (now EOL) 9.3.25 and older 9.4.15 and older Resolved: 9.2.27 (soon to be released) 9.3.26 (released) 9.4.16 (soon to be released)
Let's use CVE-2019-10241. Let me know when you're ready to remove the "committers only" flag and disclose.
CVSS base score is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:F
Please publish on Monday April 22nd. These is the text we should include in the CVE report ... --(start)-- The server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. CVE Risk: XSS Versions affected: 9.2.26 and older (now EOL) 9.3.25 and older 9.4.15 and older Resolved: 9.2.27.v20190403 9.3.26.v20190403 9.4.16.v20190411 --(end)--
In lieu of the CVSS, lets go with CWE-79.
Pull request: https://github.com/CVEProject/cvelist/pull/1931