| Summary: | <www-apps/coppermine-1.5.20: Path Disclosure and XSS Vulnerabilities (CVE-2012-{1613,1614}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | mabi, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://forum.coppermine-gallery.net/index.php/topic,74682.0.html | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 350913 | ||
|
Description
Tim Sammut (RETIRED)
2012-04-05 22:18:58 UTC
I've bumped the ebuild. It does throw a lot of strict standards warnings with php-5.4 but that should be okay. Thanks, Matti. Closing noglsa for ~arch only. CVE-2012-1614 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1614): Coppermine Photo Gallery before 1.5.20 allows remote attackers to obtain sensitive information via (1) a direct request to plugins/visiblehookpoints/index.php, an invalid (2) page or (3) cat parameter to thumbnails.php, an invalid (4) page parameter to usermgr.php, or an invalid (5) newer_than or (6) older_than parameter to search.inc.php, which reveals the installation path in an error message. CVE-2012-1613 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1613): Cross-site scripting (XSS) vulnerability in edit_one_pic.php in Coppermine Photo Gallery before 1.5.20 allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the keywords parameter. |
