Raphael Geissert wrote:
Source: interchange
Severity: grave
Version: 5.6.0-1
Tags: security
Hi,
The following SA (Secunia Advisory) id was published for interchange.
SA32658[1]:
Some vulnerabilities have been reported in Interchange, which can be
exploited by malicious people to conduct cross-site scripting attacks.
1) Unspecified input passed to the "country-select widget" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
2) Input passed to the "mv_order_item" CGI variable is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
The vulnerabilities are reported in versions prior to 5.4.3 and 5.6.1.
If you fix the vulnerability please also make sure to include the SA id (or
the CVE id when one is assigned) in the changelog entry.
[1]http://secunia.com/Advisories/32658/
I already uploaded interchange 5.6.1-1 today before I was aware of this
SA.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
