Bug#859136: CVE-2016-1566: XSS vulnerability in file browser

Moritz Muehlenhoff jmm at debian.org
Mon Oct 2 19:19:17 UTC 2017


On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> Package: guacamole-client
> X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
> Severity: normal
> Tags: security
> Version: 0.9.9+dfsg-1
> 
> Hi,
> 
> the following vulnerability was published for guacamole.
> 
> CVE-2016-1566[0]:
> | Cross-site scripting (XSS) vulnerability in the file browser in
> | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> | shared by multiple users, allows remote authenticated users to inject
> | arbitrary web script or HTML via a crafted filename.  NOTE: this
> | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> | version number was not changed.

What's the status? More than half a year has passed.

Cheers,
        Moritz



More information about the pkg-remote-team mailing list