Multiple cross-site scripting (XSS) vulnerabilities in the
GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
3.0.6 allow remote attackers to inject arbitrary web script or HTML
via a key to csim_in_html_ex1.php, and other unspecified vectors.
php: ping. Patch is available at http://seclists.org/bugtraq/2009/Dec/285
Find ebuilds for 3.0.7 and 2.3 in the php overlay
jpgraph-3.0.7 has been in the tree since April. Leaving stable decision to security.
The issue is not fixed in version 3.0.7.
A patch is available at http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0428.html, I would prefer using htmlspecialchars() instead of urlencode() though.
Wow, this is ancient. And upstream hasn't released a new stable version.. So I've taken the liberty to provide my own patch, using htmlentities() instead of urlencode as suggested.
Clear to go stable with jpgraph-3.0.7-r1?
(In reply to comment #5)
> Clear to go stable with jpgraph-3.0.7-r1?
We're good if you are. ;)
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc sparc x86"
Stable for HPPA.
ppc stable, last arch, not closing due security marking.
Closing noglsa for XSS.