262696 – (CVE-2009-0934) <net-im/ejabberd-2.0.4: XSS in MUC logs (CVE-2009-0934)

Bug 262696 (CVE-2009-0934) - <net-im/ejabberd-2.0.4: XSS in MUC logs (CVE-2009-0934)

Summary: <net-im/ejabberd-2.0.4: XSS in MUC logs (CVE-2009-0934)

Status:	RESOLVED FIXED

Alias:	CVE-2009-0934

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.process-one.net/en/ejabber...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-03-16 19:15 UTC by Hanno Böck
Modified:	2009-03-23 21:52 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2009-03-16 19:15:46 UTC

Release notes of ejabberd 2.0.4:
http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_204

Cite:
# MUC: Prevent XSS in MUC logs by linkifying only a few known protocols

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2009-03-19 00:10:07 UTC

CVE-2009-0934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0934):
  Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4
  allows remote attackers to inject arbitrary web script or HTML via
  unknown vectors related to links and MUC logs.

Comment 2 Caleb Tennis (RETIRED) gentoo-dev

2009-03-22 18:16:19 UTC

2.0.4 is now in portage

Comment 3 Alex Legler (RETIRED) archtester

2009-03-22 18:28:54 UTC

Arches, please test and mark stable:
=net-im/ejabberd-2.0.4
Target keywords : "amd64 x86"

Comment 4 Markus Meier gentoo-dev

2009-03-23 21:25:36 UTC

amd64/x86 stable, all arches done.

Comment 5 Alex Legler (RETIRED) archtester

2009-03-23 21:31:27 UTC

GLSA voting, please.
I'm tempted to say NO.

Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev

2009-03-23 21:52:49 UTC

XSS => no, closing.