Date: Wed, 31 May 2023 06:52:10 GMT From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 439ce2af737f - main - security/vuxml: Add XSS php80-kanboard vulnerability Message-ID: <202305310652.34V6qAPY081943@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=439ce2af737fd7667d09a7ba8fb39d296392d807 commit 439ce2af737fd7667d09a7ba8fb39d296392d807 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2023-05-30 06:39:49 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2023-05-31 06:47:04 +0000 security/vuxml: Add XSS php80-kanboard vulnerability CVE-2023-32685 with Base Score 7.1 (HIGH) PR: 271702 --- security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 2dbe137ce89f..ae6abbb9399d 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,37 @@ + <vuln vid="79514fcd-feb4-11ed-92b5-b42e991fc52e"> + <topic>Kanboard -- Clipboard based cross-site scripting (blocked with default CSP) in Kanboard</topic> + <affects> + <package> + <name>php80-kanboard</name> + <range><lt>1.2.29</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/kanboard/kanboard/commit/26b6eebb78d4306e48b836a58f7c386251aa2bc7">; + <p>Kanboard is project management software that focuses on the Kanban + methodology. Due to improper handling of elements under the + `contentEditable` element, maliciously crafted clipboard content + can inject arbitrary HTML tags into the DOM. A low-privileged + attacker with permission to attach a document on a vulnerable + Kanboard instance can trick the victim into pasting malicious + screenshot data and achieve cross-site scripting if CSP is improperly + configured. This issue has been patched in version 1.2.29. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-32685</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-32685</url>; + </references> + <dates> + <discovery>2023-05-30</discovery> + <entry>2023-05-30</entry> + </dates> + </vuln> + <vuln vid="fd87a250-ff78-11ed-8290-a8a1599412c6"> <topic>chromium -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202305310652.34V6qAPY081943>