svn commit: r487432 - head/security/vuxml
Tijl Coosemans
tijl at FreeBSD.org
Fri Dec 14 13:29:12 UTC 2018
Author: tijl
Date: Fri Dec 14 13:29:11 2018
New Revision: 487432
URL: https://svnweb.freebsd.org/changeset/ports/487432
Log:
HTML encode < and > and fix the formatting of the latest typo3 entry.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Dec 14 13:22:01 2018 (r487431)
+++ head/security/vuxml/vuln.xml Fri Dec 14 13:29:11 2018 (r487432)
@@ -118,11 +118,14 @@ Notes:
<p>Failing to properly encode user input, login status display is vulnerable to cross-site
scripting in the website frontend. A valid user account is needed in order to exploit this
vulnerability - either a backend user or a frontend user having the possibility to modify
- their user profile.
- Template patterns that are affected are:
- ###FEUSER_[fieldName]### using system extension felogin
- <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually
- using TypoScript setting config.USERNAME_substToken)</p>
+ their user profile.</p>
+ <p>Template patterns that are affected are:</p>
+ <ul>
+ <li>###FEUSER_[fieldName]### using system extension felogin</li>
+ <li><!--###USERNAME###--> for regular frontend rendering
+ (pattern can be defined individually using TypoScript setting
+ config.USERNAME_substToken)</li>
+ </ul>
<p>It has been discovered that cookies created in the Install Tool are not hardened to be
submitted only via HTTP. In combination with other vulnerabilities such as cross-site
scripting it can lead to hijacking an active and valid session in the Install Tool.</p>
More information about the svn-ports-all
mailing list