Executive Summary
Summary | |
---|---|
Title | New ikiwiki packages fix cross-site scripting |
Informations | |||
---|---|---|---|
Name | DSA-2020 | First vendor Publication | 2010-03-20 |
Vendor | Debian | Last vendor Modification | 2010-03-20 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a wiki compiler, performs insufficient input sanitization on data:image/svg+xml URIs. As these can contain script code this can be used by an attacker to conduct cross-site scripting attacks. For the stable distribution (lenny), this problem has been fixed in version 2.53.5. For the testing distribution (squeeze), this problem has been fixed in version 3.20100312. For the unstable distribution (sid), this problem has been fixed in version 3.20100312. |
Original Source
Url : http://www.debian.org/security/2010/dsa-2020 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
10 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
8 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
6 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
6 % | CWE-20 | Improper Input Validation |
5 % | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') (CWE/SANS Top 25) |
5 % | CWE-552 | Files or Directories Accessible to External Parties |
5 % | CWE-295 | Certificate Issues |
5 % | CWE-276 | Incorrect Default Permissions |
3 % | CWE-798 | Use of Hard-coded Credentials (CWE/SANS Top 25) |
3 % | CWE-732 | Incorrect Permission Assignment for Critical Resource (CWE/SANS Top 25) |
3 % | CWE-668 | Exposure of Resource to Wrong Sphere |
3 % | CWE-330 | Use of Insufficiently Random Values |
3 % | CWE-306 | Missing Authentication for Critical Function (CWE/SANS Top 25) |
3 % | CWE-200 | Information Exposure |
3 % | CWE-125 | Out-of-bounds Read |
3 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
3 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
3 % | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
2 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
2 % | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
2 % | CWE-532 | Information Leak Through Log Files |
2 % | CWE-522 | Insufficiently Protected Credentials (CWE/SANS Top 25) |
2 % | CWE-502 | Deserialization of Untrusted Data |
2 % | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
2 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
2 % | CWE-331 | Insufficient Entropy |
2 % | CWE-252 | Unchecked Return Value |
2 % | CWE-203 | Information Exposure Through Discrepancy |
2 % | CWE-129 | Improper Validation of Array Index |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-04-06 | Name : Ikiwiki 'htmlscrubber' Cross Site Scripting Vulnerability File : nvt/gb_ikiwiki_htmlscrubber_xss_vuln.nasl |
2010-03-30 | Name : Debian Security Advisory DSA 2020-1 (ikiwiki) File : nvt/deb_2020_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
63024 | ikiwiki htmlscrubber Component data:image/svg+xml URI XSS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-03-23 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2020.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:29:19 |
|