Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285020 (CVE-2009-2783) - www-apps/xoops Multiple vulnerabilities (CVE-2009-{2783,3963})
Summary: www-apps/xoops Multiple vulnerabilities (CVE-2009-{2783,3963})
Status: RESOLVED FIXED
Alias: CVE-2009-2783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://xoops.svn.sourceforge.net/view...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-14 22:41 UTC by Stefan Behte (RETIRED)
Modified: 2010-01-04 11:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:41:05 UTC 
CVE-2009-2783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2783):
  Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3
  allow remote attackers to inject arbitrary web script or HTML via the
  (1) op parameter to modules/pm/viewpmsg.php and (2) query string to
  modules/profile/user.php.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:42:51 UTC 
It's hardmasked, but you still might want to fix this. ;)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-23 17:43:21 UTC 
CVE-2009-3963 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3963):
  Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have
  unknown impact and attack vectors.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-23 17:51:52 UTC 
Since maintainers are not active and there is no major interest in the package (no users cc'd on the bugs), I have marked this package for removal:

+# Alex Legler <a3li@gentoo.org> (23 Nov 2009)
+# [Security] Masked for removal, bug 285020
+www-apps/xoops
+

Treecleaners, all yours.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-04 11:39:22 UTC 
Package is gone from the tree.