DESCRIPTION: Keigo Yamazaki has reported some vulnerabilities in Xoops, which can be exploited by malicious people to conduct script insertion attacks. 1) Input passed to certain "XOOPS Code" tags isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Certain input passed to the "newbb" forum module isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session when the user views a submitted forum message. The vulnerabilities have been reported in the following versions: * Xoops 2.0.12 JP and prior. * Xoops 2.0.13.1 and prior. * Xoops 2.2.3 RC1 and prior. SOLUTION: The vulnerabilities have reportedly been fixed in Xoops version 2.0.13 JP. Reproducible: Always Steps to Reproduce: 1. 2. 3.
web-apps please provide an updated ebuild.
Bumped to 2.2.3, although I'm not sure it has the fix. Where is this advisory from?
Advisories: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/85_e.html http://secunia.com/advisories/17300/
From xoops-announcement ML : ========== We have recently been warned about a security issue affecting all XOOPS releases. Because of this the release of 2.2.3RC2 we expected to do a few days ago has been delayed until today, and another one (2.0.13.2) will come at the same time. We won't tell anything more here as we agreed not to disclose more details publicly before tonight, but wanted you to get prepared for these releases that will be done as soon as possible (which means tomorrow). ============== So I guess 2.2.3 final is fixed. Closed without GLSA as the package is ~.
