Directory traversal, XSS, arbitrary code execution vulnerabilities
Bug #202750 reported by
William Grant
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| jspwiki (Debian) |
Fix Released
|
Unknown
|
|||
| jspwiki (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Binary package hint: jspwiki
CVE-2008-1231:
Directory traversal vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to include and execute arbitrary local .jsp files, and obtain sensitive information, via a .. (dot dot) in the editor parameter.
CVE-2008-1229:
Cross-site scripting (XSS) vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to inject arbitrary web script or HTML via the editor parameter, a different vector than CVE-2007-5120.b.
CVE-2008-1230:
Unrestricted file upload vulnerability in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to upload and execute arbitrary .jsp files via an unspecified manipulation that attaches a .jsp file to an "entry page."
| Changed in jspwiki: | |
| importance: | Undecided → High |
| status: | New → Confirmed |
| Changed in jspwiki: | |
| status: | Unknown → New |
| Changed in jspwiki: | |
| status: | New → Fix Released |
| Changed in jspwiki (Ubuntu): | |
| assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Revision history for this message
| Chris Johnston (cjohnston) wrote | #1 |
| Changed in jspwiki (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in jspwiki (Ubuntu): | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
Removed assignee that was added by r12056.