CVE Number – CVE-2018-1000129
A vulnerability in the Jolokia agent could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.
The vendor has confirmed this vulnerability and released software updates.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to access network systems.
Administrators are advised to monitor affected systems.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
The vendor has released a git commit at the following link: Fix: Verify a given ‘mimeType’ and/or ‘callback’ request parameter
The vendor has released a software update at the following link: Jolokia Release 1.5.0