svn commit: r410209 - head/www/py-djblets
Kubilay Kocak
koobs at FreeBSD.org
Sun Mar 6 02:20:57 UTC 2016
On 6/03/2016 7:28 AM, Ruslan Makhmatkhanov wrote:
> Author: rm
> Date: Sat Mar 5 20:28:58 2016
> New Revision: 410209
> URL: https://svnweb.freebsd.org/changeset/ports/410209
>
> Log:
> www/py-djblets: update to 0.9.2
>
> Changelog [1]:
>
> Fixed a Self-XSS vulnerability in the djblets.datagrid column headers.
>
> A recently-discovered vulnerability in the datagrid templates allows an attacker
> to generate a URL to any datagrid page containing malicious code in a column
> sorting value. If the user visits that URL and then clicks that column, the code
> will execute.
>
> The cause of the vulnerability was due to a template not escaping user-provided
> values.
>
> This vulnerability was reported by Jose Carlos Exposito Bueno (0xlabs).
>
> [1] https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/
>
> With hat: python
>
VuXML + MFH?
More information about the svn-ports-head
mailing list