ArchLinux: 201710-13: flyspray: cross-site scripting
Summary
- CVE-2017-15213 (cross-site scripting)
A stored XSS vulnerability in Flyspray before 1.0-rc6 allows an
authenticated user to inject JavaScript to gain administrator
privileges, via the real_name or email_address field in
themes/CleanFS/templates/common.editallusers.tpl.
- CVE-2017-15214 (cross-site scripting)
A stored XSS vulnerability in Flyspray between 1.0-rc4 and 1.0-rc6
allows an authenticated user to inject JavaScript to gain administrator
privileges and also to execute JavaScript against other users
(including unauthenticated users), via the name, title, or id parameter
of dokuwiki links in
plugins/dokuwiki/lib/plugins/changelinks/syntax.php.
Resolution
Upgrade to 1.0rc6-1.
# pacman -Syu "flyspray>=1.0rc6-1"
The problems have been fixed upstream in version 1.0rc6.
References
https://www.openwall.com/lists/oss-security/2017/10/10/6 https://github.com/Flyspray/flyspray/commit/754ec5d04348ef7ecb8cb02ade976dc412b031f8 https://github.com/Flyspray/flyspray/commit/00cfae5661124f9d67ac6733db61b2bfee34dccc https://security.archlinux.org/CVE-2017-15213 https://security.archlinux.org/CVE-2017-15214
Workaround
None.