XSS vulnerability in JavaScript router

26 views

Skip to first unread message

Greg Methvin

unread,

Jun 28, 2016, 4:37:34 PM6/28/16

to play-framework, Play framework dev

Hi everyone,

We recently discovered a security vulnerability in Play's JavaScript router. The host string was not being properly escaped. Since the Host header can be spoofed by an attacker, it can result in reflected XSS.

If you are using the JavaScript router, we recommend upgrading to Play 2.4.8 or 2.5.4 (though no 2.5 releases are affected).

More details are described here: https://www.playframework.com/security/vulnerability/20160622-JavaScriptRouterXSS

Greg Methvin

Senior Software Engineer

Lightbend, Inc.

Matthias Kurz

unread,

Jun 29, 2016, 5:20:47 AM6/29/16

to play-framework, play-fram...@googlegroups.com

Shouldn't this also be send out to the play-framework-security mailing list?

Reply all

Reply to author

Forward

0 new messages