[Secure-testing-team] Bug#848641: spip: CVE-2016-9997 CVE-2016-9998
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 19 05:37:25 UTC 2016
Source: spip
Version: 3.1.3-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerabilities were published for spip.
CVE-2016-9997[0]:
'id' parameter in '/ecrire/exec/puce_statut.php' XSS
CVE-2016-9998[1]:
'plugin' parameter in '/ecrire/exec/info_plugin.php' XSS
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9997
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9997
[1] https://security-tracker.debian.org/tracker/CVE-2016-9998
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9998
Please adjust the affected versions in the BTS as needed. Only sid's
version has been doublechecked so far.
Regards,
Salvatore
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
More information about the Secure-testing-team
mailing list