Multiple XSS flaws were reported in Cumin. These flaws could be used by a remote attacker to inject arbitrary web script on a web page displayed by Cumin. This includes an XSS in error message displays due to not filtering the displayed output, and not escaping quotes in source HTML on certain pages.
Created attachment 590472 [details] Call xml_escape() on error page content
Acknowledgements: These issues were discovered by Florian Weimer of the Red Hat Product Security Team.
This issue has been addressed in following products: MRG for RHEL-5 v. 2 Via RHSA-2012:1278 https://rhn.redhat.com/errata/RHSA-2012-1278.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:1281 https://rhn.redhat.com/errata/RHSA-2012-1281.html
Created cumin tracking bugs for this issue Affects: fedora-all [bug 858868]
cumin-0.1.5522-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
cumin-0.1.5522-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
cumin-0.1.5522-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.