326395 – <www-apps/roundup-1.4.14: XSS (CVE-2010-2491)

Bug 326395 - <www-apps/roundup-1.4.14: XSS (CVE-2010-2491)

Summary: <www-apps/roundup-1.4.14: XSS (CVE-2010-2491)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-07-01 03:09 UTC by Arfrever Frehtes Taifersar Arahesis (RETIRED)
Modified:	2010-10-01 20:28 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2010-07-01 03:09:33 UTC

"Fixed:
- User input not escaped when a bad template name is supplied (thanks
  Benjamin Pollack)"

http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486

Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2010-07-01 03:10:41 UTC

Stabilize www-apps/roundup-1.4.14.

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2010-07-01 09:36:18 UTC

x86 stable

Comment 3 Raúl Porcel (RETIRED) gentoo-dev

2010-07-03 12:37:50 UTC

sparc stable

Comment 4 Markos Chandras (RETIRED) gentoo-dev

2010-07-04 08:40:51 UTC

amd64 done

Comment 5 Joe Jezak (RETIRED) gentoo-dev

2010-07-19 01:25:55 UTC

Marked ppc stable.

Comment 6 Alex Legler (RETIRED) archtester

2010-07-21 16:22:12 UTC

XSS in a webapp -> closing noglsa.

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2010-10-01 20:28:45 UTC

CVE-2010-2491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2491):
  Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup
  before 1.4.14 allows remote attackers to inject arbitrary web script
  or HTML via the template argument to the /issue program.