On Wed, Jul 19, 2017 at 07:13:02PM -0500, John Lightsey wrote:
> Source: phamm
> Severity: important
> Tags: upstream security
>
> While looking through codesearch.debian.net I noticed that phamm's
> views/helpers.php uses $_SERVER['PHP_SELF'] in a way that is vulnerable to
> reflected XSS attacks.
>
> To reproduce the problem, load a URL like this in Firefox:
>
> http://127.0.0.1/phamm/main.php/%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
>
> The Debian Security team assigned this issue CVE-2017-0378
>
> Upstream bug report is here: https://github.com/lota/phamm/issues/21
What's the status?
Cheers,
Moritz
