diff options
| author | Henrik Brix Andersen <brix@FreeBSD.org> | 2008-02-12 08:48:24 +0000 |
|---|---|---|
| committer | Henrik Brix Andersen <brix@FreeBSD.org> | 2008-02-12 08:48:24 +0000 |
| commit | c919f7d862d115f69ec5e0bf750dd531020ed7da (patch) | |
| tree | f2e4c73c5ebbb4166c5ba36a9b7c3587a51920f7 /security | |
| parent | 58a30da28626f12f4336bb8ce0122fd7b937b32d (diff) | |
Notes
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 049d90c7a126..ecf259998d29 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,35 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="739329c8-d8f0-11dc-ac2f-0016d325a0ed"> + <topic>ikiwiki -- javascript insertion via uris</topic> + <affects> + <package> + <name>ikiwiki</name> + <range><lt>2.32.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The ikiwiki development team reports:</p> + <blockquote cite="http://ikiwiki.info/security/#index30h2"> + <p>The htmlscrubber did not block javascript in uris. This was + fixed by adding a whitelist of valid uri types, which does not + include javascript. Some urls specifyable by the meta plugin + could also theoretically have been used to inject javascript; this + was also blocked.</p> + </blockquote> + </body> + </description> + <references> + <url>http://ikiwiki.info/security/#index30h2</url> + </references> + <dates> + <discovery>2008-02-10</discovery> + <entry>2008-02-11</entry> + </dates> + </vuln> + <vuln vid="1a818749-d646-11dc-8959-000bcdc1757a"> <topic>zenphoto -- XSS vulnerability</topic> <affects> |