Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 326395 - <www-apps/roundup-1.4.14: XSS (CVE-2010-2491)
Summary: <www-apps/roundup-1.4.14: XSS (CVE-2010-2491)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-01 03:09 UTC by Arfrever Frehtes Taifersar Arahesis (RETIRED)
Modified: 2010-10-01 20:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-07-01 03:09:33 UTC
"Fixed:
- User input not escaped when a bad template name is supplied (thanks
  Benjamin Pollack)"

http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-07-01 03:10:41 UTC
Stabilize www-apps/roundup-1.4.14.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-01 09:36:18 UTC
x86 stable
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2010-07-03 12:37:50 UTC
sparc stable
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2010-07-04 08:40:51 UTC
amd64 done
Comment 5 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 01:25:55 UTC
Marked ppc stable.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-21 16:22:12 UTC
XSS in a webapp -> closing noglsa.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-01 20:28:45 UTC
CVE-2010-2491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2491):
  Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup
  before 1.4.14 allows remote attackers to inject arbitrary web script
  or HTML via the template argument to the /issue program.