libnginx-mod-http-fancyindex is using outdated version with missing html escaping
Bug #1979917 reported by
Stian Skjelstad
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Ubuntu) |
Confirmed
|
Medium
|
Thomas Ward |
Bug Description
This patch has not made it into libnginx-
https:/
This causes filenames with html-entities to be served as-is to the end-user, possible XSS if filenames are generated by user.
affects: | ubuntu → nginx (Ubuntu) |
information type: | Private Security → Public Security |
To post a comment you must log in.
We (Debian) are also checking and merging to Kinetic - can you check if this is patched in Debian as well? So I can make sure its patched in Salsa as well as here in Ubuntu.