Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635598 (CVE-2016-7149, CVE-2016-7150, CVE-2017-5480, CVE-2017-5539) - www-apps/b2evolution: Multiple vulnerabilities
Summary: www-apps/b2evolution: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-7149, CVE-2016-7150, CVE-2017-5480, CVE-2017-5539
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-27 16:32 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-29 17:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-27 16:32:22 UTC
CVE-2017-5539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5539):
  The patch for directory traversal (CVE-2017-5480) in b2evolution version
  6.8.4-stable has a bypass vulnerability. An attacker can use ..\/ to bypass
  the filter rule. Then, this attacker can exploit this vulnerability to
  delete or read any files on the server. It can also be used to determine
  whether a file exists.

CVE-2017-5480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5480):
  Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution
  through 6.8.3 allows remote authenticated users to read or delete arbitrary
  files by leveraging back-office access to provide a .. (dot dot) in the
  fm_selected array parameter.

CVE-2016-7150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7150):
  Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier
  allows remote authenticated users to inject arbitrary web script or HTML via
  the site name.

CVE-2016-7149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7149):
  Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier
  allows remote attackers to inject arbitrary web script or HTML via vectors
  related to the autolink function.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-27 16:34:39 UTC
@Maintainers b2evolution is far behind upstream. 6.9.3-stable should contain the fixes. Please call for stabilization when ready.

Thank you
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-01-25 21:22:44 UTC
CC'ing treecleaners due to inactivity and outstanding vulnerabilities that remain unpatched.
Comment 3 Pacho Ramos gentoo-dev 2018-04-29 17:26:42 UTC
removed
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-04-29 17:53:49 UTC
GLSA Vote: No