Bug 1070852 (CVE-2014-2235, CVE-2014-2236) - CVE-2014-2235 CVE-2014-2236 askbot: multiple XSS issues fixed in 0.7.49
Summary: CVE-2014-2235 CVE-2014-2236 askbot: multiple XSS issues fixed in 0.7.49
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2235, CVE-2014-2236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1070858
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-27 15:26 UTC by Tomas Hoger
Modified: 2021-10-20 10:44 UTC (History)
5 users (show)

Fixed In Version: askbot 0.7.49
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-20 10:44:13 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2014-02-27 15:26:09 UTC
Multiple cross-site scripting (XSS) issues were found in askbot (Question and Answer forum web application written in python and django) affecting various search forms (question, tag, and user searches).  These issue were corrected in upstream version 0.7.49.

Relevant upstream changes (two of the forms were fixed as part of the larger commit with unrelated changes):
https://github.com/ASKBOT/askbot-devel/commit/876e3662ff6b78cc6241338c15e3a0cb49edf4e2#diff-6868da9ad7c82c149086e59fac3af76b
https://github.com/ASKBOT/askbot-devel/commit/876e3662ff6b78cc6241338c15e3a0cb49edf4e2#diff-b693b4c02739be4b3231bece15b0eb87
https://github.com/ASKBOT/askbot-devel/commit/a676a86b6b7a5737d4da4f59f71e037406f88d29

Comment 1 Tomas Hoger 2014-02-27 15:30:30 UTC
The question search XSS was reported by Kamil Sevi (@kamilsevi) for askbot running on https://ask.fedoraproject.org/ .  Additional issues were noticed when investigating the report.  All issue were fixed upstream in a released 0.7.49 at the time of the report.

Comment 2 Tomas Hoger 2014-02-27 15:30:58 UTC
Created askbot tracking bugs for this issue:

Affects: fedora-all [bug 1070858]

Comment 3 Tomas Hoger 2014-02-28 20:30:47 UTC
CVE-2014-2235 was assigned to the question search XSS, CVE-2014-2236 to the tag and user search XSS.

http://www.openwall.com/lists/oss-security/2014/02/28/8


Note You need to log in before you can comment on or make changes to this bug.