CVE-2017-16821: Cross-site Scripting

November 15, 2017 (updated December 3, 2017)

b3log Symphony has an XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.

References

github.com/b3log/symphony/issues/503
nvd.nist.gov/vuln/detail/CVE-2017-16821

Detect and mitigate CVE-2017-16821 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →