Package: zope-zms Severity: normal Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2006-2997: "Cross-site scripting (XSS) vulnerability in ZMS 2.9 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the raw parameter in the search field." Note that 'register_globals' must be set 'on' for this to be a vulnerability. The original BugTraq posting [1] does not include a patch, and no new upstream version has been released. This appears to affect sarge. Please mention the CVE in the changelog. Thanks, Alec [1] http://www.securityfocus.com/archive/1/archive/1/436703/100/0/threaded -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEkIeSAud/2YgchcQRAlDMAJwLO6ZYpLPdeziVuQIA0/O7fafwwgCgviks 2xdf6GpjmpXjIuQv4FqdZbQ= =KEae -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
