Executive Summary
| Summary | |
|---|---|
| Title | New gnatsweb packages fix cross-site scripting |
| Informations | |||
|---|---|---|---|
| Name | DSA-1486 | First vendor Publication | 2008-02-04 |
| Vendor | Debian | Last vendor Modification | 2008-02-04 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| "r0t" discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitize the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or javascript code. For the stable distribution (etch), this problem has been fixed in version 4.00-1etch1. We recommend that you upgrade your gnatsweb package. |
Original Source
| Url : http://www.debian.org/security/2008/dsa-1486 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:19781 | |||
| Oval ID: | oval:org.mitre.oval:def:19781 | ||
| Title: | DSA-1486-1 gnatsweb - cross-site scripting | ||
| Description: | <q>r0t</q> discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitise the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or JavaScript code. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1486-1 CVE-2007-2808 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | gnatsweb |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:7949 | |||
| Oval ID: | oval:org.mitre.oval:def:7949 | ||
| Title: | DSA-1486 gnatsweb -- cross-site scripting | ||
| Description: | r0t discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitise the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or JavaScript code. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1486 CVE-2007-2808 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | gnatsweb |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-02-05 | Name : Debian Security Advisory DSA 1486-1 (gnatsweb) File : nvt/deb_1486_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 36224 | Gnatsweb gnatsweb.pl database Parameter XSS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2008-02-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1486.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:27:18 |
|
