Arch Linux Security Advisory ASA-201608-11 ========================================== Severity: Medium Date : 2016-08-11 CVE-ID : CVE-2016-1236 Package : websvn Type : cross-site scripting Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package websvn before version 2.3.3-7 is vulnerable to several cross-site scripting issues. Resolution ========== Upgrade to 2.3.3-7. # pacman -Syu "websvn>=2.3.3-7" The problem has not been fixed upstream yet. Workaround ========== None. Description =========== Multiple cross-site scripting (XSS) vulnerabilities in revision.php, log.php, listing.php, and comp.php in WebSVN allow context-dependent attackers to inject arbitrary web script or HTML via the name of a file or directory in a repository. Impact ====== A remote attacker can execute arbitrary javascript code in the victim's browser by creating a file or a directory with a specially crafted name in a SVN repository. References ========== https://bugs.archlinux.org/task/50344 http://www.openwall.com/lists/oss-security/2016/05/05/22 https://access.redhat.com/security/cve/CVE-2016-1236