[arch-security] [ASA-201608-11] websvn: cross-site scripting
Remi Gacogne
rgacogne at archlinux.org
Thu Aug 11 11:11:22 UTC 2016
Arch Linux Security Advisory ASA-201608-11
==========================================
Severity: Medium
Date : 2016-08-11
CVE-ID : CVE-2016-1236
Package : websvn
Type : cross-site scripting
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package websvn before version 2.3.3-7 is vulnerable to several
cross-site scripting issues.
Resolution
==========
Upgrade to 2.3.3-7.
# pacman -Syu "websvn>=2.3.3-7"
The problem has not been fixed upstream yet.
Workaround
==========
None.
Description
===========
Multiple cross-site scripting (XSS) vulnerabilities in revision.php,
log.php, listing.php, and comp.php in WebSVN allow context-dependent
attackers to inject arbitrary web script or HTML via the name of a file
or directory in a repository.
Impact
======
A remote attacker can execute arbitrary javascript code in the victim's
browser by creating a file or a directory with a specially crafted name
in a SVN repository.
References
==========
https://bugs.archlinux.org/task/50344
http://www.openwall.com/lists/oss-security/2016/05/05/22
https://access.redhat.com/security/cve/CVE-2016-1236
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160811/30d79d1e/attachment.asc>
More information about the arch-security
mailing list