CVE-2018-1294 - Improper Input Validation

Severity: Low2021-12-08

Security Advisories

Abstract

If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated.

The Oxygen XML products incorporates the Apache Commons Email as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion 4.1 and olderLow Oxygen Content Fusion 4.1.2 build 2021112414

Mitigation

None

Detail

CVE-2018-1294

Severity: high

CVSS Score: 7.5

The Apache Commons Email third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2018-1294 vulnerability description. However, the Oxygen XML software products validate input before being passed to Email.setBounceAddress(String). Therefore Oxygen XML software products are not impacted by CVE-2018-1294.

Starting with Oxygen Content Fusion version 4.1, the Apache Commons Email was updated to version 1.5, which includes a fix for CVE-2018-1294.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Oxygen AI Positron: Your Helper in All Stages of Content Creation
May 8, 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor