oss-sec mailing list archives

Re: CVE id request: ikiwiki

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 30 Mar 2010 16:41:06 -0400 (EDT)


On Wed, 17 Mar 2010, Nico Golde wrote:

"javascript insertion via svg uris

Ivan Shmakov pointed out that the htmlscrubber allowed data:image/* urls,
including data:image/svg+xml. But svg can contain javascript, so that is
unsafe."
http://ikiwiki.info/security/#index30h2

Note that this URL is erroneous (it's for an older, similar issue); youwant this one:


http://ikiwiki.info/security/#index36h2

Use CVE-2010-1195

- Steve

Current thread:

CVE id request: ikiwiki Nico Golde (Mar 17)
- Re: CVE id request: ikiwiki Steven M. Christey (Mar 30)