CVE-2018-8035

Vulnerability

Overview

This is a cross-site scripting (XSS) vulnerability in the Apache UIMA DUCC web server, affecting versions up to and including 2.2.2 [1]. The root cause is that the JavaScript code running in the user's browser does not properly filter or escape user-supplied input when processing DUCC webpage data [1][2]. This inadequate input sanitization enables an attacker to inject arbitrary JavaScript code that will then be executed in the context of a victim's browser session.

Exploitation

Path

The vulnerability is triggered when a user visits a specially crafted DUCC webpage that contains malicious input [1]. The attacker does not need prior authentication if the unescaped input is rendered immediately—for example, through a URL parameter or form submission. The malicious JavaScript runs with the same origin as the DUCC web application, allowing access to session tokens, cookies, or other sensitive data stored by the browser for that site.

Impact

Successful exploitation gives the attacker the ability to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement of the web interface, or theft of sensitive information displayed or processed by the DUCC application [1][2]. The Apache Software Foundation rated the severity as "Important" [2].

Mitigation

The vulnerability is resolved by upgrading to Apache UIMA DUCC version 3.0.0 or later [2]. There is no mention of a workaround for versions prior to 3.0.0; users are strongly advised to upgrade. The issue was reported to the private Apache UIMA mailing list and credited to Marshall Schor [2].