Giuseppe Iuculano
2010-Aug-25 07:27 UTC
[Secure-testing-team] Bug#594304: CVE-2010-2790: Multiple cross-site scripting (XSS) vulnerabilities
Package: zabbix
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for zabbix.
CVE-2010-2790[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in the formatQuery
| function in frontends/php/include/classes/class.curl.php in Zabbix
| before 1.8.3rc1 allow remote attackers to inject arbitrary web script
| or HTML via the (1) filter_set, (2) show_details, (3) filter_rst, or
| (4) txt_select parameters to the triggers page (tr_status.php). NOTE:
| some of these details are obtained from third party information.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2790
http://security-tracker.debian.org/tracker/CVE-2010-2790
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx0xdoACgkQNxpp46476aqmsgCeLRb69yqdvE6IgcKjrF05NvKj
vPUAn0SH1Dk7JRBiItBq+/j0Kj5D933S
=d5AS
-----END PGP SIGNATURE-----