CVE-2021-3427: The Deluge Web-UI is vulnerable to XSS through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context of the user's browser session. Patches: https://dev.deluge-torrent.org/changeset/8ece03677 https://dev.deluge-torrent.org/changeset/a5503c0c606 Both in 2.1.0.
Still pending stabilisation :(
GLSA request filed
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e59c9a6bf0ee6b3aeea0c6b9bc6226896ecc5c5 commit 5e59c9a6bf0ee6b3aeea0c6b9bc6226896ecc5c5 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-10-15 06:44:49 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-10-15 06:47:46 +0000 net-p2p/deluge: drop 2.0.5-r2 Bug: https://bugs.gentoo.org/866842 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-p2p/deluge/Manifest | 1 - net-p2p/deluge/deluge-2.0.5-r2.ebuild | 144 ---------------------- net-p2p/deluge/files/deluge-2.0.3-UI-status.patch | 31 ----- net-p2p/deluge/files/deluge-2.0.3-setup.py.patch | 11 -- 4 files changed, 187 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=47660d7639f4e391ab61b168c33a2a1892d5dad8 commit 47660d7639f4e391ab61b168c33a2a1892d5dad8 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:42:29 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:45:24 +0000 [ GLSA 202210-07 ] Deluge: Cross-Site Scripting Bug: https://bugs.gentoo.org/866842 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!