Directory traversal, XSS, arbitrary code execution vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
jspwiki (Debian) |
Fix Released
|
Unknown
|
|||
jspwiki (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: jspwiki
CVE-2008-1231:
Directory traversal vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to include and execute arbitrary local .jsp files, and obtain sensitive information, via a .. (dot dot) in the editor parameter.
CVE-2008-1229:
Cross-site scripting (XSS) vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to inject arbitrary web script or HTML via the editor parameter, a different vector than CVE-2007-5120.b.
CVE-2008-1230:
Unrestricted file upload vulnerability in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to upload and execute arbitrary .jsp files via an unspecified manipulation that attaches a .jsp file to an "entry page."
Changed in jspwiki: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in jspwiki: | |
status: | Unknown → New |
Changed in jspwiki: | |
status: | New → Fix Released |
Changed in jspwiki (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Removed assignee that was added by r12056.