| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>mod_pagespeed Security Advisory: Cross-Site Scripting</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>mod_pagespeed Security Advisory: Cross-Site Scripting</h1> |
| <dl> |
| <dt>CVE Identifier:</dt> |
| <dd>CVE-2012-4360</dd> |
| <dt>Disclosed:</dt> |
| <dd>September 12, 2012</dd> |
| <dt>Versions Affected:</dt> |
| <dd>mod_pagespeed versions 0.10.19.1 through 0.10.22.4 (inclusive). |
| Versions 0.9.18.6 and earlier are unaffected.</dd> |
| <dt>Summary:</dt> |
| <dd>mod_pagespeed performs insufficient escaping in some cases, which can |
| permit a hostile 3rd party to inject JavaScript running in context of |
| the site.</dd> |
| <dt>Solution:</dt> |
| <dd>mod_pagespeed 0.10.22.6 has been released with a fix.</dd> |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |