oss-sec mailing list archives
Re: Cgit XSS "vulnerability" has no CVE?
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Mon, 7 Mar 2016 18:53:33 +0100
On Sat, Mar 5, 2016 at 6:41 PM, Peter Bex <peter () more-magic net> wrote:
This allows for an XSS attack by anyone with write access: If you can push to a git repository for which the "txt2html" converter is activate, you can create a README or README.txt and insert arbitrary HTML.
The XSS situation in those release notes does not cover what you've described here. You're conflating two separate things.
Current thread:
- Cgit XSS "vulnerability" has no CVE? Peter Bex (Mar 05)
- Re: Cgit XSS "vulnerability" has no CVE? Jason A. Donenfeld (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Jason A. Donenfeld (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Peter Bex (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Jason A. Donenfeld (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Peter Bex (Mar 07)