Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-1001001: pluxml: XSS and missing httponly flag

Related Vulnerabilities: CVE-2017-1001001  

Source

Debian Bug report logs - #881796
CVE-2017-1001001: pluxml: XSS and missing httponly flag

version graph

Package: pluxml; Maintainer for pluxml is Tanguy Ortolo <tanguy+debian@ortolo.eu>; Source for pluxml is src:pluxml (PTS, buildd, popcon).

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 15 Nov 2017 07:18:02 UTC

Severity: grave

Tags: security, upstream

Found in version pluxml/5.5-2

Fixed in version pluxml/5.6-1

Done: Tanguy Ortolo <tanguy+debian@ortolo.eu>

Forwarded to https://github.com/pluxml/PluXml/issues/253

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#881796; Package pluxml. (Wed, 15 Nov 2017 07:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>. (Wed, 15 Nov 2017 07:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: CVE-2017-1001001: pluxml: XSS and missing httponly flag
Date: Wed, 15 Nov 2017 09:14:18 +0200
[Message part 1 (text/plain, inline)]
Package: pluxml
Version: 5.5-2
Severity: grave
Tags: security upstream

https://nvd.nist.gov/vuln/detail/CVE-2017-1001001
https://github.com/pluxml/PluXml/issues/253

PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability,
within the article creation page, which can result in escalation of privileges.

Two problems:
- Cross-site scripting vulnerability with "writer" role
- Missing HttpOnly flag

-- 
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://github.com/pluxml/PluXml/issues/253'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 15 Nov 2017 07:39:03 GMT) (full text, mbox, link).

Reply sent to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
You have taken responsibility. (Wed, 21 Mar 2018 17:42:16 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 21 Mar 2018 17:42:16 GMT) (full text, mbox, link).

Message #12 received at 881796-close@bugs.debian.org (full text, mbox, reply):

From: Tanguy Ortolo <tanguy+debian@ortolo.eu>
To: 881796-close@bugs.debian.org
Subject: Bug#881796: fixed in pluxml 5.6-1
Date: Wed, 21 Mar 2018 17:41:20 +0000
Source: pluxml
Source-Version: 5.6-1

We believe that the bug you reported is fixed in the latest version of
pluxml, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 881796@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tanguy Ortolo <tanguy+debian@ortolo.eu> (supplier of updated pluxml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 21 Mar 2018 10:48:19 +0100
Source: pluxml
Binary: pluxml
Architecture: source all
Version: 5.6-1
Distribution: unstable
Urgency: medium
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Description:
 pluxml     - light blog/CMS engine powered by XML
Closes: 855162 881796
Changes:
 pluxml (5.6-1) unstable; urgency=medium
 .
   * New upstream release.
   * debian/po/es.po: Update Spanish translation. (Closes: #855162)
   * debian/postinst:
      - add new config parameter bypage_tags.
      - update the software version parameter in the generated configuration
        file.
   * debian/patches:
      - fix-mandatory-captcha.patch: remove patch applied upstream.
      - mitigate_CVE-2017-1001001.patch: mitigate a security issue
        CVE-2017-1001001 (Closes: #881796)
   * debian/compat: use debhelper compatibility level 11.
   * debian/control:
      - depend on debhelper >= 9.
      - switch priority from extra (deprecated) to optional.
      - add Rules-Requires-Root: binary-targets, necessary to run chmod and
        chown in debian/rules.
      - add default-mta to the recommends.
      - update Standards-Version to 4.1.3 (changes required).
   * debian/copyright: use a secure format URL.
   * debian/rules: remove inappropriate exec rights on a PHP class file.
   * debian/source/lintian-overrides: remove obsolete overrides.
Checksums-Sha1:
 fbe30fc30ebf6250b77d8673093dc3b6e5f7304d 1794 pluxml_5.6-1.dsc
 4b883327a9fb7332fca1476764596dde2a66ea2f 300708 pluxml_5.6.orig.tar.gz
 5127526336ef903a982de4fe9c64b175a04a7407 32256 pluxml_5.6-1.debian.tar.xz
 0e1ecd678c2f618cb8b9ed4997278512f9fe8bbb 236956 pluxml_5.6-1_all.deb
 91e8aea4106976a98a92a21ff54c7fb2a9d266fd 6418 pluxml_5.6-1_amd64.buildinfo
Checksums-Sha256:
 cf40cdbfd3c303d1e4f8e9d4dbc6d6118df1754260e3cf282b52e518fcad3590 1794 pluxml_5.6-1.dsc
 2443dff5531abdf5d2dd91364946aa13420d88d61a4781b298e14d88ef2cfc3e 300708 pluxml_5.6.orig.tar.gz
 563b779a3e40bb510021085884b86dd4a95375fb42b41868cc1e1fb366c29cff 32256 pluxml_5.6-1.debian.tar.xz
 7a51a8299ff4d19ee8a985d9b3b91f63ffe55d5695e21c243e89d995139e9ade 236956 pluxml_5.6-1_all.deb
 3d349a99d2cf9d62398de57446d8289057ef97830bd7f0540a609361e413c8a9 6418 pluxml_5.6-1_amd64.buildinfo
Files:
 65e237367cbe039edf4936fcf655da37 1794 web optional pluxml_5.6-1.dsc
 1663b67b1ca83f9c70047819b5d2c4ea 300708 web optional pluxml_5.6.orig.tar.gz
 a9b580caf7448faf36e1236ed45ff173 32256 web optional pluxml_5.6-1.debian.tar.xz
 3e6a0747f68a4a989317fd69e540f26c 236956 web optional pluxml_5.6-1_all.deb
 c741a89b2441c8ab1d69246f99162905 6418 web optional pluxml_5.6-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEC1QNJk2lrQnjLj0t6vLNUcUAaBkFAlqyhOMACgkQ6vLNUcUA
aBn79g/9Eglf4rsy/QHZuiRtci8GOQD8C1U4MBbZ62eWGuLAtsCR9442RxPhTVQG
CdGrVqraX3oZtbNgeBuRoKYUnmyjaNJXtfndCFbgTn6vlvFX//8pCGR9Keg+vmA+
thkFymT/vIXzDDjb6QJJ/HhflS/KHqXknBi8k4VxzaIxjLApgx0JGPoi1Vfo5rES
WxFbSnYGD1/bDQq4ShK5Ut11uo2hlrgronPPEBa6YkUHvlt+4nwkBcCP6MF7E0JF
S9JcT7WqCtKxs+udAAg6eJHmzfdmmPBZ0XvngjjVGInTYkIyU6h5DXBhO1T6yZ7N
TcK4k9eyOxH3KC6V0j970I9OFeZKT7cUqzuKtmWZkvdcFygTbF+WSavCq2Zpbdv/
IM5jlgAlywGPPDc75g+SeN7VeRKJTBnngouog7tAqDd4e4RjxQqrgJlH5Hl/b/Fh
dfiwgIhYd8abcbvLTWJsjo+pbWI4MV0UAVo/fnDByolHHTZ3f9+7ikjdz36FJgUV
3gShwRSKAoKOgDhIkS08515y1wbLLCUzezEMtop9d2olyfcwy5SCvrUeMKaJf2rI
ayFcGByIhSBsWzIZUGziVVvndW+oTgjyyN9k8XhUtoXeQUMD9rteZc49FHlzQLJe
1b4xqXr+8DDDk4fwsKmPWoP/cj5qitBK5b1QRmsdvYVUiN4lIC8=
=NIMS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:07:19 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started