Security News > 2021 > January > Undisclosed Apache Velocity XSS vulnerability impacts GOV sites
An undisclosed Cross-Site Scripting vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project.
Govt sites using Apache Velocity Tools vulnerable to XSS. Apache Velocity Tools has an undisclosed XSS vulnerability, which impacts all its versions despite a fix having been published on GitHub months ago.
Security researcher Jackson Henry of the Sakura Samurai ethical hacking group had first discovered and reported the vulnerability to Apache in early October, 2020.
When contacted by BleepingComputer for comment, the Apache Software Foundation stated that the Apache Security Team receives hundreds of vulnerability reports in a year and that they respond to them in a timely manner based on the severity of the issue, as shown in their annual security report.
"With regard to the XSS vulnerability in Apache Velocity tools, the Apache Security Team were first contacted by an individual on 6 October 2020 who disclosed an issue they had found affecting part of the Velocity Tools package."
"We shared this privately with the Apache Velocity Project Management Committee who investigated and accepted the report on 7 October and suggested that the reporter submit the patch."