Arch Linux Security Advisory ASA-201710-13 ========================================== Severity: High Date : 2017-10-10 CVE-ID : CVE-2017-15213 CVE-2017-15214 Package : flyspray Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-439 Summary ======= The package flyspray before version 1.0rc6-1 is vulnerable to cross- site scripting. Resolution ========== Upgrade to 1.0rc6-1. # pacman -Syu "flyspray>=1.0rc6-1" The problems have been fixed upstream in version 1.0rc6. Workaround ========== None. Description =========== - CVE-2017-15213 (cross-site scripting) A stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field in themes/CleanFS/templates/common.editallusers.tpl. - CVE-2017-15214 (cross-site scripting) A stored XSS vulnerability in Flyspray between 1.0-rc4 and 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter of dokuwiki links in plugins/dokuwiki/lib/plugins/changelinks/syntax.php. Impact ====== A remote attacker is able to perform a cross-side scripting attack and possibly gain administrator privileges by injecting malicious javascript. References ========== http://www.openwall.com/lists/oss-security/2017/10/10/6 https://github.com/Flyspray/flyspray/commit/754ec5d04348ef7ecb8cb02ade976dc4... https://github.com/Flyspray/flyspray/commit/00cfae5661124f9d67ac6733db61b2bf... https://security.archlinux.org/CVE-2017-15213 https://security.archlinux.org/CVE-2017-15214