Search Results (Refine Search)
- Results Type: Overview
- Search Type: Search All
- CPE Vendor: cpe:/:apache
- CPE Product: cpe:/:apache:tiles
- CPE Product Version: cpe:/:apache:tiles:2.6
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-49735 |
** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Published: November 30, 2023; 5:15:09 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |