January 20


Undisclosed Apache Velocity XSS vulnerability

Cybersecurity specialists revealed the finding of cross-site scripting (XSS) vulnerability in Apache Velocity Tools that could be exploited by threat actors to compromise U.S. government websites.

A Cross-site Scripting (XSS) allows attackers to inject a script into a website's content. When a user visits the victim page, the script will execute in the victim's browser allowing attackers to steal private information.

There are two types of XSS. A reflected XSS happens when a malicious script is reflected off to another website through the victim's browser. The XSS vulnerability can then just be exploited by making a user click on a link. On the other hand, a stored XSS takes place when the malicious script is injected directly into the target web application.

The vulnerability in question is a case of reflected cross-site scripting where the attacker prepares a malicious link and convince victims to load this malicious address link in their browsers.

The vulnerability found in the Apache Velocity Tools is present on the VelocityViewServlet view class, which renders the error pages. When an invalid URL is accessed, the "template not found" error page displays a path portion of the URL as it is which opens the door for attacks to create malicious links that lead to a phishing platform where they can extract sensitive information.


Vulnerable deployments are employed by multiple U.S. government websites, including .nasa.gov, and . gov.au. 

The security researcher Jackson Henry had first discovered and reported the vulnerability to Apache in early October 2020. Three months have passed, and the company hasn't put out a formal disclosure of this issue. 

About the author

Gabriela Granda

I am a Systems Engineer specialized in security and networking. I'm interested in defensive security and forensics.