mod_pagespeed Security Advisory: Cross-Site Scripting

CVE Identifier:

CVE-2012-4360

Disclosed:

September 12, 2012

Versions Affected:

mod_pagespeed versions 0.10.19.1 through 0.10.22.4 (inclusive). Versions 0.9.18.6 and earlier are unaffected.

Summary:

mod_pagespeed performs insufficient escaping in some cases, which can permit a hostile 3rd party to inject JavaScript running in context of the site.

Solution:

mod_pagespeed 0.10.22.6 has been released with a fix.