Cross-site scripting (XSS) vulnerability in htsearch in htdig 3.2.0b6 allows remote malicious users to inject arbitrary web script or HTML via the sort parameter.
Debian Bug report logs -
#453278
CVE-2007-6110: XSS in htsearch
Package:
htdig;
Maintainer for htdig is Debian QA Group <packages@qadebianorg>; Source for htdig is src:htdig (PTS, buildd, popcon)
Reported by: Steffen Joeris <steffenjoeris@skolelinuxde>
Date: Wed, 28 Nov 2007 09:51:01 UTC
Severity: important
Tags ...
Michael Skibbe discovered that htdig, a WWW search system for an intranet
or small internet, did not adequately quote values submitted to the search
script, allowing remote attackers to inject arbitrary script or HTML
into specially crafted links
For the old stable distribution (sarge), this problem was not present
For the stable distribution (et ...
source: wwwsecurityfocuscom/bid/26610/info
ht://Dig is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data
Exploiting this issue allows an attacker to execute arbitrary HTML or script code in a user's browser session in the context of an affected site This may allow the attacker to ...