Bug#859136: CVE-2016-1566: XSS vulnerability in file browser
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 10 18:46:09 BST 2020
Hi,
On Tue, Oct 03, 2017 at 08:55:47PM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> On Mon, Oct 02, 2017 at 09:19:17PM +0200, Moritz Muehlenhoff wrote:
> > On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> > > Package: guacamole-client
> > > X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
> > > Severity: normal
> > > Tags: security
> > > Version: 0.9.9+dfsg-1
> > >
> > > Hi,
> > >
> > > the following vulnerability was published for guacamole.
> > >
> > > CVE-2016-1566[0]:
> > > | Cross-site scripting (XSS) vulnerability in the file browser in
> > > | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> > > | shared by multiple users, allows remote authenticated users to inject
> > > | arbitrary web script or HTML via a crafted filename. NOTE: this
> > > | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> > > | version number was not changed.
> >
> > What's the status? More than half a year has passed.
>
> Upstream commit, afaics
>
> https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
Promted by the question from Markus: it looks no released version in
Debian actually ever contained the broken code in guacFileBrowser.js
as the version uploaded to Debian as 0.9.9+dfsg-1 was already with the
fixed code (note that the upstream versions are quite useless here as
they seem to have released twice 0.9.9).
Regards,
Salvatore
More information about the pkg-remote-team
mailing list