Source: interchange Severity: grave Version: 5.6.0-1 Tags: security Hi,
The following SA (Secunia Advisory) id was published for interchange. SA32658[1]: > Some vulnerabilities have been reported in Interchange, which can be > exploited by malicious people to conduct cross-site scripting attacks. > > 1) Unspecified input passed to the "country-select widget" is not properly > sanitised before being returned to the user. This can be exploited to > execute arbitrary HTML and script code in a user's browser session in > context of an affected site. > > 2) Input passed to the "mv_order_item" CGI variable is not properly > sanitised before being returned to the user. This can be exploited to > execute arbitrary HTML and script code in a user's browser session in > context of an affected site. > > The vulnerabilities are reported in versions prior to 5.4.3 and 5.6.1. If you fix the vulnerability please also make sure to include the SA id (or the CVE id when one is assigned) in the changelog entry. [1]http://secunia.com/Advisories/32658/ Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
