From ${URL} : xhprof, a hierarchial profiler for PHP, was found to have a Cross-Site Scripting vulnerability in it's run parameter, because it fails to sufficiently sanitize the user input. To exploit this vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI, which could compromise the cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, or obtain sensitive information. The issue is known to be fixed in Xhprof 0.9.4. References: http://www.securityfocus.com/bid/62928/info http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
We are not affected by this bug since we only distribute the php extension itself, not the web interface in which this bug lies.
(In reply to Ole Markus With from comment #1) > We are not affected by this bug since we only distribute the php extension > itself, not the web interface in which this bug lies. Thanks for checking.