A cross-site scripting flaw was found in AskBot, a question and answer forum written in Python and Django. The flaw can be triggered by appending, for example: ?sort=%3C/SCript%3E%3CsvG/onLoad=prompt%289%29%3E to a question page on a vulnerable AskBot deployment. This flaw is reported to be fixed in the latest release of AskBot, though it is unclear which one that is. askbot-0.7.51-4.el6.noarch is definitely vulnerable. The upstream changelog is not up-to-date: http://askbot.org/doc/changelog.html
Created askbot tracking bugs for this issue: Affects: fedora-20 [bug 1221618] Affects: epel-6 [bug 1221619]
Could you give me more information about the bug? I tested what you wrote but I couldn't trigger it.
Acknowledgements: Red Hat would like to thank Harsha Vardhan Boppana (@hvboppana) for reporting this issue.
Created attachment 1044309 [details] 0001-Fix-CVE-2015-3169-XSS-by-using-sort-argument-in-GET-.patch
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.