Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jun 2011 09:18:48 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        Luciano Bello <luciano@...ian.org>, 631818@...s.debian.org
CC: oss-security@...ts.openwall.com
Subject: CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism

Hello Josh, Steve, vendors,

   it was found that DokuWiki's RSS embedding mechanism did not properly
escape user-provided links. An attacker could use this flaw to conduct
cross-site scripting (XSS) attacks, potentially leading to arbitrary
JavaScript code execution.

References:
-----------
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631818
[2] 
http://www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.html
[3] 
http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind
[4] https://bugzilla.redhat.com/show_bug.cgi?id=717146

Solution:
---------
This issue has been addressed in upstream "2011-05-25 Rincewind"
release:
[5] http://www.dokuwiki.org/changes

This issue doesn't seem to have a CVE identifier yet. Could you allocate
one?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ