Bug 748425 (CVE-2011-4170) - CVE-2011-4170 empathy: XSS due improper escaping of nicknames in the /me event in the Adium theme
Summary: CVE-2011-4170 empathy: XSS due improper escaping of nicknames in the /me even...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 747737
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-24 12:27 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-08-07 07:38:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-10-24 12:27:09 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4170 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname) in a /me event, a different vulnerability than CVE-2011-3635.

Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=662035

Original mention of the deficiency:
[2] https://bugzilla.gnome.org/show_bug.cgi?id=662035#c13

Relevant upstream patch:
[3] http://git.gnome.org/browse/empathy/commit/?id=15a4eec2f156c4f60398a9d842279203f475ed89
Comment 1 Jan Lieskovsky 2011-10-24 12:28:16 UTC 
This issue affects the versions of the empathy package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-10-24 12:31:05 UTC 
Created empathy tracking bugs for this issue

Affects: fedora-all [bug 747737]
Note You need to log in before you can comment on or make changes to this bug.