oss-sec mailing list archives
Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input
From: Reed Loden <reed () reedloden com>
Date: Tue, 30 Mar 2010 07:03:44 -0500
On Mon, 29 Mar 2010 17:52:46 -0500 Reed Loden <reed () reedloden com> wrote:
Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were released today (right on the heels of 1.1.4 and 1.0.10, for which I still haven't received a CVE). Looks like they fix an XSS that needs a CVE assigned. "security fix: escape user-provided search_re input to avoid XSS attack"
Apparently, Secunia has already assigned this CVE-2010-0132, as per their advisory that just came out... http://secunia.com/secunia_research/2010-26/ Again, still need a CVE for the XSS fix in ViewVC 1.1.4 and 1.1.10, however. ~reed -- Reed Loden - <reed () reedloden com>
Attachment:
_bin
Description:
Current thread:
- CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 29)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Secunia Research (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Steven M. Christey (Mar 30)