thr3ads.net - Secure testing team - [Secure-testing-team] Bug#563940: CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag [Jan 2010]

If this information is useful, please help other people find it:
Share via:

Giuseppe Iuculano

2010-Jan-06 14:00 UTC

[Secure-testing-team] Bug#563940: CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag

Package: redmine
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for redmine.

CVE-2009-4459[0]:
| Redmine 0.8.7 and earlier uses the title tag before defining the
| character encoding in a meta tag, which allows remote attackers to
| conduct cross-site scripting (XSS) attacks and inject arbitrary script
| via UTF-7 encoded values in the title parameter to a new issue page,
| which may be interpreted as script by Internet Explorer 7 and 8.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4459
    http://security-tracker.debian.org/tracker/CVE-2009-4459


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktEl4oACgkQNxpp46476arH6QCfZ8cbk6gPiNO9TwSNrS6PsESy
xCQAmgNQklC5IywBP46TBDELV+7qdbHE
=xnry
-----END PGP SIGNATURE-----

Secure testing team - Jan 2010 - Bug#563940: CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag

[Secure-testing-team] Bug#563940: CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag