blosxom XSS issue (CVE-2008-2236)

[Gerfried Fuchs <rhonda () deb at>]

        Hi!

 I'd like to inform you of a XSS issue in blosxom which was reported
by Yoshinori Ohta of Business Architects Inc. and got assigned the IDs
CVE-2008-2236 and JVN#03300113. The problem allowed to inject arbitrary
output into the default error page and possibly any plugin that uses the
$flavour variable in its output directly.

 A fixed version was released today and announced on the blosxom-users
list:
<http://sourceforge.net/mailarchive/forum.php?thread_name=20081002155914.GL10579%40sym.noone.org&forum_name=blosxom-users>

 The Debian Bug about the issue:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500873>

 The patch to fix the problem:
<http://blosxom.cvs.sourceforge.net/viewvc/blosxom/blosxom2/blosxom.cgi?r1=1.83&r2=1.84>

 Hope that helps. :)
Rhonda