Bug#859136: CVE-2016-1566: XSS vulnerability in file browser
Salvatore Bonaccorso
carnil at debian.org
Tue Oct 3 18:55:47 UTC 2017
Hi
On Mon, Oct 02, 2017 at 09:19:17PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> > Package: guacamole-client
> > X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
> > Severity: normal
> > Tags: security
> > Version: 0.9.9+dfsg-1
> >
> > Hi,
> >
> > the following vulnerability was published for guacamole.
> >
> > CVE-2016-1566[0]:
> > | Cross-site scripting (XSS) vulnerability in the file browser in
> > | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> > | shared by multiple users, allows remote authenticated users to inject
> > | arbitrary web script or HTML via a crafted filename. NOTE: this
> > | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> > | version number was not changed.
>
> What's the status? More than half a year has passed.
Upstream commit, afaics
https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
Regards,
Salvatore
More information about the pkg-remote-team
mailing list