The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limited. A fix got applied and released in Apache deltaspike-1.8.1. References: https://nvd.nist.gov/vuln/detail/CVE-2017-17837 https://issues.apache.org/jira/browse/DELTASPIKE-1307 https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;h=4e25023
Created deltaspike tracking bugs for this issue: Affects: fedora-all [bug 1532123]
The Apache DeltaSpike JSF module is not included in OpenDaylight nor are there any calls to windowId.
Moderate issues in Developer Studio won't be fixed. JBoss Developer Studio 11 uses patched version 1.8.1.