Mirrored documentation

This page is a faithful mirror of the original Apache mod_pagespeed documentation (Apache License 2.0). The upstream project was retired and the modpagespeed.com domain is now operated by an unrelated commercial vendor; we host the original reference so users of nginx-module-pagespeed from GetPageSpeed can rely on a stable copy.

mod_pagespeed Security Advisory: Cross-Site Scripting

CVE Identifier: CVE-2012-4360

Disclosed: September 12, 2012

Versions Affected: mod_pagespeed versions 0.10.19.1 through 0.10.22.4 (inclusive). Versions 0.9.18.6 and earlier are unaffected.

Summary: mod_pagespeed performs insufficient escaping in some cases, which can permit a hostile 3rd party to inject JavaScript running in context of the site.

Solution: mod_pagespeed 0.10.22.6 has been released with a fix.