BleepingComputer reported that an undisclosed but currently patched cross-site scripting vulnerability in the open source Apache Velocity Tools codebase has been documented by Jackson Henry of the Sakura Samurai ethical hacking group. The vulnerability was reported last November and an update to fix the problem was quietly published to the project’s public GitHub page soon after the report, but since no formal announcement of the problem was made, many other software products that incorporate Apache Velocity Tools have not updated their code and are still vulnerable. The flaw exists in how the VelocityViewServlet class renders error pages. Using a malformed URL, the attacker can trick victims into clicking the URL to detonate the XSS. This attack could be staged on various government websites that are vulnerable, including nasa.gov and *.gov.au.
As this flaw occurs through malformed URLs, Binary Defense recommends users take care when clicking on links from untrusted sources, even if the link is to a .gov website. If possible, companies should require all HTTP communication from employee workstations to go through a company-managed proxy server, so that URLs can be examined and suspicious connections terminated. Alerts generated by proxy servers need to be investigated and responded to quickly to protect corporate information. This requires a 24/7 SOC monitoring solution, either staffed internally or in partnership with managed security providers, such as Binary Defense’s Security Operations Task Force.
Source article: https://www.bleepingcomputer.com/news/security/undisclosed-apache-velocity-xss-vulnerability-impacts-gov-sites/