OSSA-2014-020: XSS in Swift requests through WWW-Authenticate header

Date:June 19, 2014
CVE:CVE-2014-3497

Affects

  • Swift: 1.11.0 to 1.13.1

Description

Globo.com Security Team reported a vulnerability in Swift’s header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected.

Credits

  • Globo.com Security Team from Globo.com (CVE-2014-3497)