Date: Sun, 29 Jul 2018 10:42:23 +0000 (UTC) From: Jochen Neumeister <joneum@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r475643 - head/security/vuxml Message-ID: <201807291042.w6TAgN9E073825@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: joneum Date: Sun Jul 29 10:42:23 2018 New Revision: 475643 URL: https://svnweb.freebsd.org/changeset/ports/475643 Log: document mantis issues PR: 229880 Submitted by: Nathan <ndowens.fbsd@yandex.com> Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Jul 29 10:40:28 2018 (r475642) +++ head/security/vuxml/vuln.xml Sun Jul 29 10:42:23 2018 (r475643) @@ -58,6 +58,42 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="0822a4cf-9318-11e8-8d88-00e04c1ea73d"> + <topic>mantis -- multiple vulnerabilities</topic> + <affects> + <package> + <name>mantis</name> + <range><lt>2.15.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>mantis reports:</p> + <blockquote cite="https://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f">; + <p>Teun Beijers reported a cross-site scripting (XSS) vulnerability in + the Edit Filter page which allows execution of arbitrary code + (if CSP settings permit it) when displaying a filter with a crafted + name. Prevent the attack by sanitizing the filter name before display.</p> + <p>Ömer Cıtak, Security Researcher at Netsparker, reported this + vulnerability, allowing remote attackers to inject arbitrary code + (if CSP settings permit it) through a crafted PATH_INFO on + view_filters_page.php. Prevent the attack by sanitizing the output + of $_SERVER['PHP_SELF'] before display.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/mantisbt/mantisbt/commit/8b5fa243dbf04344a55fe880135ec149fc1f439f</url>; + <url>https://github.com/mantisbt/mantisbt/commit/4efac90ed89a5c009108b641e2e95683791a165a</url>; + <cvename>CVE-2018-14504</cvename> + <cvename>CVE-2018-13066</cvename> + </references> + <dates> + <discovery>2018-07-13</discovery> + <entry>2018-07-29</entry> + </dates> + </vuln> + <vuln vid="e97a8852-32dd-4291-ba4d-92711daff056"> <topic>py-bleach -- unsanitized character entities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807291042.w6TAgN9E073825>