Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title New ikiwiki packages fix cross-site scripting
Informations
Name DSA-2020 First vendor Publication 2010-03-20
Vendor Debian Last vendor Modification 2010-03-20
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Ivan Shmakov discovered that the htmlscrubber component of ikwiki, a wiki compiler, performs insufficient input sanitization on data:image/svg+xml URIs. As these can contain script code this can be used by an attacker to conduct cross-site scripting attacks.

For the stable distribution (lenny), this problem has been fixed in version 2.53.5.

For the testing distribution (squeeze), this problem has been fixed in version 3.20100312.

For the unstable distribution (sid), this problem has been fixed in version 3.20100312.

Original Source

Url : http://www.debian.org/security/2010/dsa-2020

CWE : Common Weakness Enumeration

% Id Name
10 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
8 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
7 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
7 % CWE-20 Improper Input Validation
5 % CWE-601 URL Redirection to Untrusted Site ('Open Redirect') (CWE/SANS Top 25)
5 % CWE-552 Files or Directories Accessible to External Parties
5 % CWE-276 Incorrect Default Permissions
5 % CWE-200 Information Exposure
3 % CWE-798 Use of Hard-coded Credentials (CWE/SANS Top 25)
3 % CWE-732 Incorrect Permission Assignment for Critical Resource (CWE/SANS Top 25)
3 % CWE-668 Exposure of Resource to Wrong Sphere
3 % CWE-330 Use of Insufficiently Random Values
3 % CWE-306 Missing Authentication for Critical Function (CWE/SANS Top 25)
3 % CWE-295 Certificate Issues
3 % CWE-125 Out-of-bounds Read
3 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
3 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
3 % CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
2 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
2 % CWE-640 Weak Password Recovery Mechanism for Forgotten Password
2 % CWE-532 Information Leak Through Log Files
2 % CWE-522 Insufficiently Protected Credentials (CWE/SANS Top 25)
2 % CWE-502 Deserialization of Untrusted Data
2 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
2 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
2 % CWE-331 Insufficient Entropy
2 % CWE-252 Unchecked Return Value
2 % CWE-129 Improper Validation of Array Index

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 21
Application 9
Application 3
Application 1
Application 7
Application 1
Application 8
Application 5
Application 1
Application 1
Application 1
Application 1
Application 2
Application 7
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 69
Application 5
Application 4
Application 2
Application 4
Application 4
Application 2
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Os 1
Os 6
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 9
Os 2
Os 5
Os 1
Os 1
Os 1
Os 1
Os 1
Os 3
Os 3
Os 2
Os 1

OpenVAS Exploits

Date Description
2010-04-06 Name : Ikiwiki 'htmlscrubber' Cross Site Scripting Vulnerability
File : nvt/gb_ikiwiki_htmlscrubber_xss_vuln.nasl
2010-03-30 Name : Debian Security Advisory DSA 2020-1 (ikiwiki)
File : nvt/deb_2020_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
63024 ikiwiki htmlscrubber Component data:image/svg+xml URI XSS

Nessus® Vulnerability Scanner

Date Description
2010-03-23 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2020.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:29:19
  • Multiple Updates