This page lists all security vulnerabilities fixed in released versions of Apache Taglibs. Each vulnerability is given a security impact rating by the Apache Tomcat® security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Taglibs the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.
Important: Information Disclosure
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a JSTL XML tag.
This issue was identified by the David Jorm of IIX and made public on 27 February 2015.
Affects: All versions prior to 1.2.3