From $URL: A malicious person can use specially crafted URL parameters to TWiki view and login scripts that execute arbitrary Javascript code in the browser. Examples: 1. Specially crafted rev parameter to the view script of TWiki: GET /twiki/bin/view?rev=%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E 2. Specially crafted parameter to the login script of TWiki: GET /twiki/bin/login?origurl=&ANYTHING%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E In both examples, TWiki decodes the URL parameter into the following Javascript code, popping up a Javascript alert box showing "Hello": '><script>alert(Hello)</script>
CVE-2010-3841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3841): Multiple cross-site scripting (XSS) vulnerabilities in lib/TWiki.pm in TWiki before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the rev parameter to the view script or (2) the query string to the login script.
package has been removed from tree
(In reply to comment #2) > package has been removed from tree Thanks. Closing noglsa since twiki was only ever ~arch.
