[VIM] CVE-2013-1571 Javadoc

Art Manion amanion at cert.org
Thu Jun 27 16:50:15 CDT 2013


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571

"Oracle has not commented on claims from another vendor that this issue 
is related to frame injection in HTML that is generated by Javadoc."

http://www.kb.cert.org/vuls/id/225657

We're pretty confident that the problem is frame injection in html 
generated by Javadoc.  Previous javascript included a check for ":" that 
broke obvious XSS attacks (possibly CVE-2007-3503), but it allowed 
?//www.example.com (scheme-relative URI or network-path reference).


  - Art


More information about the VIM mailing list