Published: 30/11/2023 Updated: 17/05/2024

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache tiles

Debian Bug report logs - #1057315 tiles: CVE-2023-49735 Package: src:tiles; Maintainer for src:tiles is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 3 Dec 2023 10:03:01 UTC Severity: important Tags: security, upstream Found ...

CWE-22 https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057315 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-49735

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect