Bug 624753 (CVE-2010-2479)

Summary: CVE-2010-2479 moodle, sahana: XSS flaw in embedded HTML Purifier allows remote arbitrary web script injection
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: david, gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:37:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 624754, 624755    
Bug Blocks:    

Description Vincent Danen 2010-08-17 16:35:09 UTC 
Cross-site scripting (XSS) vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. (CVE-2010-2479)

References:

http://htmlpurifier.org/news/2010/0531-4.1.1-released
http://repo.or.cz/w/htmlpurifier.git/commitdiff/18e538317a877a0509ae71a860429c41770da230

Both Moodle and Sahana contain embedded copies of HTML Purifier and need to be updated.
Comment 1 Vincent Danen 2010-08-17 16:36:40 UTC 
Created sahana tracking bugs for this issue

Affects: fedora-all [bug 624755]
Comment 2 Vincent Danen 2010-08-17 16:36:43 UTC 
Created moodle tracking bugs for this issue

Affects: fedora-all [bug 624754]
Comment 3 Vincent Danen 2011-06-14 17:07:04 UTC 
Sahana is still affected by this flaw in Fedora.  Could this be fixed please?  This issue is quite old.