Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 262696 (CVE-2009-0934) - <net-im/ejabberd-2.0.4: XSS in MUC logs (CVE-2009-0934)
Summary: <net-im/ejabberd-2.0.4: XSS in MUC logs (CVE-2009-0934)
Alias: CVE-2009-0934
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2009-03-16 19:15 UTC by Hanno Böck
Modified: 2009-03-23 21:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2009-03-16 19:15:46 UTC
Release notes of ejabberd 2.0.4:

# MUC: Prevent XSS in MUC logs by linkifying only a few known protocols
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-19 00:10:07 UTC
CVE-2009-0934 (
  Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4
  allows remote attackers to inject arbitrary web script or HTML via
  unknown vectors related to links and MUC logs.

Comment 2 Caleb Tennis (RETIRED) gentoo-dev 2009-03-22 18:16:19 UTC
2.0.4 is now in portage
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-22 18:28:54 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 4 Markus Meier gentoo-dev 2009-03-23 21:25:36 UTC
amd64/x86 stable, all arches done.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 21:31:27 UTC
GLSA voting, please.
I'm tempted to say NO.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-23 21:52:49 UTC
XSS => no, closing.