A flaw was reported [1] in smokeping 2.6 (and most likely earlier versions) which malicious remote users could abuse to conduct cross-site scripting attacks.. Input passed to the "displaymode" parameter in the smokeping CGI script is not properly sanitized before being returned to the user, which can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Smokeping 2.6.7 has been released to correct this flaw. [1] http://holisticinfosec.org/content/view/188/45/
Created smokeping tracking bugs for this issue Affects: fedora-all [bug 783585]
Created attachment 556619 [details] patch to correct the flaw Derived from diffing 2.6.7 to 2.6.6; this looks like the relevant bits required to fix the flaw.
This has been assigned CVE-2012-0790.
smokeping-2.4.2-16.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
smokeping-2.4.2-13.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.