Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 329953 (CVE-2010-2480)

Summary: <dev-python/mako-0.3.4: XSS (CVE-2010-2480)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.makotemplates.org/CHANGES
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 329787    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:58:23 UTC 
CVE-2010-2480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2480):
  Mako before 0.3.4 relies on the cgi.escape function in the Python
  standard library for cross-site scripting (XSS) protection, which
  makes it easier for remote attackers to conduct XSS attacks via
  vectors involving single-quote characters and a JavaScript onLoad
  event handler for a BODY element.
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-07-26 16:03:21 UTC 
dev-python/mako-0.3.4 is already in the tree and is being stabilized in bug #329787.
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-09-29 17:05:08 UTC 
Vulnerable versions have been deleted.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-29 17:50:13 UTC 
XSS in webapp -> noglsa.