Bug 325575 (CVE-2010-1448)

Summary:	www-apps/lxr: multiple vulnerabilites (CVE-2010-{1448,1625})
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://sourceforge.net/projects/lxr/files/stable/lxr-0.9.8/lxr-0.9.8.tgz/download
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2010-06-25 19:59:12 UTC

CVE-2010-1448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1448):
  Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR
  Cross Referencer before 0.9.8 allows remote attackers to inject
  arbitrary web script or HTML via vectors related to a string in the
  search page's TITLE element, a different vulnerability than
  CVE-2009-4497 and CVE-2010-1625.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-06-25 20:01:44 UTC

Please provide an updated ebuild.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2010-06-25 21:36:44 UTC

CVE-2010-1448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1448):
  Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR
  Cross Referencer before 0.9.8 allows remote attackers to inject
  arbitrary web script or HTML via vectors related to a string in the
  search page's TITLE element, a different vulnerability than
  CVE-2009-4497 and CVE-2010-1625.

CVE-2010-1625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1625):
  Cross-site scripting (XSS) vulnerability in LXR Cross Referencer
  before 0.9.7 allows remote attackers to inject arbitrary web script
  or HTML via vectors related to the search body and the results page
  for a search, a different vulnerability than CVE-2009-4497 and
  CVE-2010-1448.

Comment 3 Chris Reffett (RETIRED) gentoo-dev

2013-09-12 21:44:34 UTC

Security bumped and old cleaned. Closing noglsa.