Cross-site scripting type vulnerability has been fixed in new version of Google Web Toolkit. Versions below 1.4.61 are affected in this issue.
According to security advisory from Danish Secunia the vulnerability exists in Benchmark Reporting System of the toolkit. Link to the advisory released today: http://secunia.com/advisories/28122/
Technically the problem is in parameter handling: From Secunia: "Input passed via unspecified parameters to the benchmark reporting system is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site."
An official release notes document is available at http://code.google.com/webtoolkit/releases/release-notes-1.4.61.html mentioning the target of the vulnerability too.
It appears that the current download URL is http://code.google.com/webtoolkit/download.html
|