Arch Linux Security Advisory ASA-201710-13 ========================================== Severity: High Date : 2017-10-10 CVE-ID : CVE-2017-15213 CVE-2017-15214 Package : flyspray Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-439 Summary ======= The package flyspray before version 1.0rc6-1 is vulnerable to cross- site scripting. Resolution ========== Upgrade to 1.0rc6-1. # pacman -Syu "flyspray>=1.0rc6-1" The problems have been fixed upstream in version 1.0rc6. Workaround ========== None. Description =========== - CVE-2017-15213 (cross-site scripting) A stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field in themes/CleanFS/templates/common.editallusers.tpl. - CVE-2017-15214 (cross-site scripting) A stored XSS vulnerability in Flyspray between 1.0-rc4 and 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter of dokuwiki links in plugins/dokuwiki/lib/plugins/changelinks/syntax.php. Impact ====== A remote attacker is able to perform a cross-side scripting attack and possibly gain administrator privileges by injecting malicious javascript. References ========== http://www.openwall.com/lists/oss-security/2017/10/10/6 https://github.com/Flyspray/flyspray/commit/754ec5d04348ef7ecb8cb02ade976dc412b031f8 https://github.com/Flyspray/flyspray/commit/00cfae5661124f9d67ac6733db61b2bfee34dccc https://security.archlinux.org/CVE-2017-15213 https://security.archlinux.org/CVE-2017-15214