CVE-2019-12416 Apache DeltaSpike JavaScript Injection Severity: Medium
Vendor: The Apache Software Foundation Versions Affected: Apache DeltaSpike up to including 1.9.2 In Apache DELTASPIKE-1389 and DELTASPIKE-1401 we got reports for 2 injection attacks against the DeltaSpike windowhandler.js. This is only active if a developer selected the ClientSideWindowStrategy which is not the default. Mitigation: * Upgrade to Apache DeltaSpike-1.9.3 Credit: The issue was discovered by Christian Beikov and Matthias Walliczek References: https://issues.apache.org/jira/browse/DELTASPIKE-1389 https://issues.apache.org/jira/browse/DELTASPIKE-1401
