CVE-2009-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4422): Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph 3.0.6 allow remote attackers to inject arbitrary web script or HTML via a key to csim_in_html_ex1.php, and other unspecified vectors.
Rerating. php: ping. Patch is available at http://seclists.org/bugtraq/2009/Dec/285
Find ebuilds for 3.0.7 and 2.3 in the php overlay
jpgraph-3.0.7 has been in the tree since April. Leaving stable decision to security.
The issue is not fixed in version 3.0.7. A patch is available at http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0428.html, I would prefer using htmlspecialchars() instead of urlencode() though.
Wow, this is ancient. And upstream hasn't released a new stable version.. So I've taken the liberty to provide my own patch, using htmlentities() instead of urlencode as suggested. Clear to go stable with jpgraph-3.0.7-r1?
(In reply to comment #5) > > Clear to go stable with jpgraph-3.0.7-r1? We're good if you are. ;) Arches, please test and mark stable: =dev-php/jpgraph-3.0.7-r1 Target keywords : "alpha amd64 hppa ppc sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
alpha/sparc stable
ppc stable, last arch, not closing due security marking.
Thanks everyone. Closing noglsa for XSS.