Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri,  6 May 2016 16:10:59 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://source.ikiwiki.branchable.com/?p=source.git;a=commit;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7

> The instance in cgierror() is a potential cross-site scripting attack,
> because an attacker could conceivably cause some module to raise an
> exception that includes attacker-supplied HTML in its message, for
> example via a crafted filename. (OVE-20160505-0012)

>> CGI.pm

Use CVE-2016-4561.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXLPn2AAoJEHb/MwWLVhi2ALMQAIlovh1Sl+fuQdZIQBAzRJfg
f4IgcFMZxk6MFeTzDXmrdDlRHSPqI/BDAaSPz96thHjURMVet/CCSNkbA1G8CIVB
r04BTvqNhDaL2tP/KxZ/bha9q4BM9BpO+6L8+aRK4sjiRbr21Q/PlvicEus3B20e
1e/jyMX/69oX4O8mqkm9UoQtsft2nlI13TOwM9yKKgQ61eMkjkDpDFMkAOaj25wP
qJ7pXPHWIYv5ic0Wg0KacF+BRlrFckN0RXfody4pzya7ND0yck/41F1y6h0isn4c
MHkwvKJ29qTeccflgF4FoB2YSD8E0dZkQU9CYpo95hdsyeVMj7O4wRE5bd5kPCZs
HIF8KEKzzvvZZ01xGxNeIgAFEDqBu0rnUQ9JC9bfVDYDSNFKkiHZE039lL/vr/3A
+y03HSvSZAjX7ZiALfRgcFvdAdqQfi6RPT6awU0X1HOfJChDJO9RG4UJf4qdK2/X
lM8T0bqeWA/975ftkZUfIPNxYy4UI/jrKkdK7MeVLe1JcXfbqO4BiCRRSx34MaNS
AqREZahOpL29UfRPysWYBJce30SCI/I4YBgn4xhe1KEu0Ud33+UirvIcSTeXM9I1
PViZrkuTUDAhACg9sYpvVxhnqyfd6+t7mJ0nqrs7UiF+1ZYwCQKWgyiqr7FN64lu
JvZf7sCAq3oE9ULBEP9d
=Y0cq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ