Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201605-25 ========================================= Severity: Medium Date : 2016-05-19 CVE-ID : CVE-2016-2803 Package : bugzilla Type : cross-site scripting Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package bugzilla before version 5.0.3-1 is vulnerable to cross-site scripting. Resolution ========= Upgrade to 5.0.3-1. # pacman -Syu "bugzilla>=5.0.3-1" The problem has been fixed upstream in version 5.0.3. Workaround ========= None. Description ========== An attacker can craft a malicious summary within a bug report to host malicious javascript code. This code will be served to a user when he or she navigates to the bug's dependency graph. Impact ===== An attacker is able to submit a malicious bug report and execute arbitrary javascript code in the client's browser by using the bugzilla server as a pivot. References ========= https://www.cve.org/CVERecord?id=CVE-2016-2803 https://bugzilla.mozilla.org/show_bug.cgi?id=1253263