Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 326395

Summary: <www-apps/roundup-1.4.14: XSS (CVE-2010-2491)
Product: Gentoo Security Reporter: Arfrever Frehtes Taifersar Arahesis (RETIRED) <arfrever>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-07-01 03:09:33 UTC
"Fixed:
- User input not escaped when a bad template name is supplied (thanks
  Benjamin Pollack)"

http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-07-01 03:10:41 UTC
Stabilize www-apps/roundup-1.4.14.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-01 09:36:18 UTC
x86 stable
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2010-07-03 12:37:50 UTC
sparc stable
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-07-04 08:40:51 UTC
amd64 done
Comment 5 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 01:25:55 UTC
Marked ppc stable.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-07-21 16:22:12 UTC
XSS in a webapp -> closing noglsa.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-01 20:28:45 UTC
CVE-2010-2491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2491):
  Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup
  before 1.4.14 allows remote attackers to inject arbitrary web script
  or HTML via the template argument to the /issue program.