oss-sec mailing list archives

Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 30 Mar 2010 13:49:08 -0400 (EDT)


On Tue, 30 Mar 2010, Reed Loden wrote:

Apparently, Secunia has already assigned this CVE-2010-0132, as per
their advisory that just came out...

http://secunia.com/secunia_research/2010-26/

Again, still need a CVE for the XSS fix in ViewVC 1.1.4 and 1.1.10,
however.



Here's what I have:

  CVE-2010-0736 - XSS in view_queryform (lib/viewvc.py) in 1.1.x before
  1.1.4, and 1.0 before 1.0.10.  (Note that Vincent Danen assigned a CVE
  last week at http://www.openwall.com/lists/oss-security/2010/03/16/14)

  CVE-2010-0132 - Secunia-assigned; for "regular expression search" before
  1.0.11 / 1.1.5


- Steve

Current thread:

CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 29)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Secunia Research (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 30)
  - Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 30)
  - Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Steven M. Christey (Mar 30)