Comment 29 for bug 1327414

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: www-authenticate value isn't quoted

Thank you all!

@notmyname, there is no need to put versions number in the actual description. Here, is impact description #4:

Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Description:
Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected.