[CVE-2008-0444, CVE-2008-0445] XSS and DoS
Bug #216301 reported by
William Grant
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
elog (Debian) |
Fix Released
|
Unknown
|
|||
elog (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Edgy |
Invalid
|
Undecided
|
Unassigned | ||
Feisty |
Won't Fix
|
Undecided
|
Unassigned | ||
Gutsy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
High
|
Unassigned |
Bug Description
Binary package hint: elog
I presume that all releases are affected by these, as there is little difference between them.
CVE-2008-0444:
"Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components."
CVE-2008-0445:
"The replace_inline_img function in elogd in Electronic Logbook (ELOG) before 2.7.1 allows remote attackers to cause a denial of service (infinite loop) via crafted logbook entries. NOTE: some of these details are obtained from third party information."
Changed in elog: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in elog: | |
status: | Unknown → New |
Changed in elog: | |
status: | New → Fix Released |
Changed in elog (Ubuntu Hardy): | |
assignee: | nobody → Ubuntu BugSquad (bugsquad) |
Changed in elog (Ubuntu): | |
assignee: | nobody → Ubuntu BugSquad (bugsquad) |
assignee: | Ubuntu BugSquad (bugsquad) → Ubuntu Security Team (ubuntu-security) |
Changed in elog (Ubuntu Hardy): | |
assignee: | Ubuntu BugSquad (bugsquad) → Ubuntu Security Team (ubuntu-security) |
To post a comment you must log in.
The 18 month support period for Edgy Eft 6.10 has reached it's end of life. As a result, we are closing the Edgy Eft task. However, please note that this report will remain open against the actively developed release. Thank you for your continued support and help as we debug this issue.