diff options
| author | delphij <delphij@FreeBSD.org> | 2008-05-14 16:51:43 +0800 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2008-05-14 16:51:43 +0800 |
| commit | 15782f31b9ddfb6ef057600b1507db0fcc4837ee (patch) | |
| tree | 02688d73b366f0bb6bd31482bb4f668122c65705 /security | |
| parent | 1c72140e0da43bc902e219469e92a8f73f96a7b6 (diff) | |
| download | freebsd-ports-gnome-15782f31b9ddfb6ef057600b1507db0fcc4837ee.tar.gz freebsd-ports-gnome-15782f31b9ddfb6ef057600b1507db0fcc4837ee.tar.zst freebsd-ports-gnome-15782f31b9ddfb6ef057600b1507db0fcc4837ee.zip | |
Document django XSS vulnerability.
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index ea3eb27ef848..62e83411986e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,48 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="f49ba347-2190-11dd-907c-001c2514716c"> + <topic>django -- XSS vulnerability</topic> + <affects> + <package> + <name>py23-django</name> + <name>py24-django</name> + <name>py25-django</name> + <range><lt>0.96.2</lt></range> + </package> + <package> + <name>py23-django-devel</name> + <name>py24-django-devel</name> + <name>py25-django-devel</name> + <range><lt>20080511</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Django project reports:</p> + <blockquote cite="http://www.djangoproject.com/weblog/2008/may/14/security/"> + <p>The Django administration application will, when accessed by + a user who is not sufficiently authenticated, display a login + form and ask the user to provide the necessary credentials + before displaying the requested page. This form will be submitted + to the URL the user attempted to access, by supplying the current + request path as the value of the form's "action" attribute.</p> + <p>The value of the request path was not being escaped, creating an + opportunity for a cross-site scripting (XSS) attack by leading a + user to a URL which contained URL-encoded HTML and/or JavaScript + in the request path.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.djangoproject.com/weblog/2008/may/14/security/</url> + </references> + <dates> + <discovery>2008-05-10</discovery> + <entry>2008-05-14</entry> + </dates> + </vuln> + <vuln vid="633716fa-1f8f-11dd-b143-0211d880e350"> <topic>vorbis-tools -- Speex header processing vulnerability</topic> <affects> |