[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via
From: Vincent Danen <vdanen () redhat ! com>
Date: 2010-03-16 20:07:50
Message-ID: 20100316200750.GA2524 () redhat ! com
[Download RAW message or body]
* [2010-03-10 16:34:18 -0600] Reed Loden wrote:
>Just received an announcement stating ViewVC 1.1.4 and 1.0.10 were
>released today. Looks like they fix an XSS that needs a CVE assigned.
>
>"security fix: escape user-provided query form input to avoid XSS
>attack"
>
>http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD
>
>Here's the patch for the XSS:
>http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326
>
>* lib/viewvc.py
> (view_queryform): Escape user-provided input before passing it
> directly off to the templates. Can you say "XSS attack vector"?
Please use CVE-2010-0736 for this issue.
--
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic