Oracle Java Development Toolkit (JDK) contains a Javadoc toolkit that allows a developer to generate API documentation in HTML format from doc comments in source code.

Javadoc HTML pages that were created by Javadoc 7 Update 21 and before, 6 Update 45 and before, 5.0 Update 45 and before, JavaFX 2.2.21 and before contain JavaScript code that fails to parse scheme relative URIs parameters correctly. An attacker can construct a URI that passes malicious parameters to the affected HTML page that causes one of the frames within the Javadoc-generated web page to be replaced with a malicious page.



For additional information please see Oracle Security Advisory.