[Pkg-zope-developers] Bug#373667: zope-zms: CVE-2006-2997:
cross-site scripting
Alec Berryman
alec at thened.net
Wed Jun 14 22:02:58 UTC 2006
Package: zope-zms
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2006-2997: "Cross-site scripting (XSS) vulnerability in ZMS 2.9 and
earlier, when register_globals is enabled, allows remote attackers to
inject arbitrary web script or HTML via the raw parameter in the search
field."
Note that 'register_globals' must be set 'on' for this to be a
vulnerability.
The original BugTraq posting [1] does not include a patch, and no new
upstream version has been released.
This appears to affect sarge.
Please mention the CVE in the changelog.
Thanks,
Alec
[1] http://www.securityfocus.com/archive/1/archive/1/436703/100/0/threaded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEkIeSAud/2YgchcQRAlDMAJwLO6ZYpLPdeziVuQIA0/O7fafwwgCgviks
2xdf6GpjmpXjIuQv4FqdZbQ=
=KEae
-----END PGP SIGNATURE-----
More information about the Pkg-zope-developers
mailing list