BleepingComputer reported that an undisclosed but currently patched cross-site scripting vulnerability in the open source Apache Velocity Tools codebase has been documented by Jackson Henry of the Sakura Samurai ethical hacking group. The vulnerability was reported last November and an update to fix the problem was quietly published to the project’s public GitHub page soon after the report, but since no formal announcement of the problem was made, many other software products that incorporate Apache Velocity Tools have not updated their code and are still vulnerable. The flaw exists in how the VelocityViewServlet class renders error pages. Using a malformed URL, the attacker can trick victims into clicking the URL to detonate the XSS. This attack could be staged on various government websites that are vulnerable, including nasa.gov and *.gov.au.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is