Re: CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input

[Vincent Danen <vdanen () redhat com>]

* [2010-03-10 16:34:18 -0600] Reed Loden wrote:

> Just received an announcement stating ViewVC 1.1.4 and 1.0.10 were
> released today. Looks like they fix an XSS that needs a CVE assigned.
>
> "security fix: escape user-provided query form input to avoid XSS
> attack"
>
> http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD
>
> Here's the patch for the XSS:
> http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326
>
> * lib/viewvc.py
>  (view_queryform): Escape user-provided input before passing it
>    directly off to the templates.  Can you say "XSS attack vector"?

Please use CVE-2010-0736 for this issue.

--
Vincent Danen / Red Hat Security Response Team