[arch-security] [ASA-201608-11] websvn: cross-site scripting

Remi Gacogne rgacogne at archlinux.org
Thu Aug 11 11:11:22 UTC 2016


Arch Linux Security Advisory ASA-201608-11
==========================================

Severity: Medium
Date    : 2016-08-11
CVE-ID  : CVE-2016-1236
Package : websvn
Type    : cross-site scripting
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package websvn before version 2.3.3-7 is vulnerable to several
cross-site scripting issues.

Resolution
==========

Upgrade to 2.3.3-7.

# pacman -Syu "websvn>=2.3.3-7"

The problem has not been fixed upstream yet.

Workaround
==========

None.

Description
===========

Multiple cross-site scripting (XSS) vulnerabilities in revision.php,
log.php, listing.php, and comp.php in WebSVN allow context-dependent
attackers to inject arbitrary web script or HTML via the name of a file
or directory in a repository.

Impact
======

A remote attacker can execute arbitrary javascript code in the victim's
browser by creating a file or a directory with a specially crafted name
in a SVN repository.

References
==========

https://bugs.archlinux.org/task/50344
http://www.openwall.com/lists/oss-security/2016/05/05/22
https://access.redhat.com/security/cve/CVE-2016-1236

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160811/30d79d1e/attachment.asc>


More information about the arch-security mailing list