[Secure-testing-team] Bug#563940: CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag
Giuseppe Iuculano
iuculano at debian.org
Wed Jan 6 14:00:45 UTC 2010
Package: redmine
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for redmine.
CVE-2009-4459[0]:
| Redmine 0.8.7 and earlier uses the title tag before defining the
| character encoding in a meta tag, which allows remote attackers to
| conduct cross-site scripting (XSS) attacks and inject arbitrary script
| via UTF-7 encoded values in the title parameter to a new issue page,
| which may be interpreted as script by Internet Explorer 7 and 8.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4459
http://security-tracker.debian.org/tracker/CVE-2009-4459
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktEl4oACgkQNxpp46476arH6QCfZ8cbk6gPiNO9TwSNrS6PsESy
xCQAmgNQklC5IywBP46TBDELV+7qdbHE
=xnry
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list