From ${URL} : Description A vulnerability has been reported in PNP4Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain input is not properly sanitised in "views/kohana_error_page.php" before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions prior to 0.6.22. Solution: Update to version 0.6.22. Provided and/or discovered by: Originally reported by Peter Österberg in op5 Monitor. Original Advisory: http://docs.pnp4nagios.org/pnp-0.6/dwnld @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE request: http://www.openwall.com/lists/oss-security/2014/07/03/1 I think http://sourceforge.net/p/pnp4nagios/code/ci/f846a6c9d007ca2bee05359af747619151195fc9/ is the fix.
+*pnp4nagios-0.6.24 (24 Oct 2014) + + 24 Oct 2014; Justin Lecher <jlec@gentoo.org> +pnp4nagios-0.6.24.ebuild: + Version BUmp; fixes security issues #516078 & #516140 +
Closing noglsa for XSS.
CVE-2014-4907 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4907): Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.