Jolokia Agent Cross-Site Scripting Vulnerability [CVE-2018-1000129]
CVE Number – CVE-2018-1000129
A vulnerability in the Jolokia agent could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
The vulnerability is due to improper security restrictions that are imposed by the affected software. An attacker could exploit this vulnerability by persuading a targeted user to follow a link that contains malicious JavaScript code. A successful exploit could allow the attacker to inject malicious JavaScript code into the user’s browser, which the attacker could leverage to access sensitive information.
The vendor has confirmed this vulnerability and released software updates.
-
To exploit this vulnerability, the attacker may use misleading language and instructions to persuade a user of the targeted system to follow a link that contains malicious JavaScript code.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to access network systems.
Administrators are advised to monitor affected systems.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
-
The vendor has released a git commit at the following link: Fix: Verify a given ‘mimeType’ and/or ‘callback’ request parameter
-
The vendor has released a software update at the following link: Jolokia Release 1.5.0
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.