Date: Sun, 6 Mar 2016 13:20:43 +1100 From: Kubilay Kocak <koobs@FreeBSD.org> To: Ruslan Makhmatkhanov <rm@FreeBSD.org>, ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r410209 - head/www/py-djblets Message-ID: <d5464454-75fd-c90f-2596-f066abc5f8f8@FreeBSD.org> In-Reply-To: <201603052028.u25KSw35054174@repo.freebsd.org> References: <201603052028.u25KSw35054174@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/03/2016 7:28 AM, Ruslan Makhmatkhanov wrote: > Author: rm > Date: Sat Mar 5 20:28:58 2016 > New Revision: 410209 > URL: https://svnweb.freebsd.org/changeset/ports/410209 > > Log: > www/py-djblets: update to 0.9.2 > > Changelog [1]: > > Fixed a Self-XSS vulnerability in the djblets.datagrid column headers. > > A recently-discovered vulnerability in the datagrid templates allows an attacker > to generate a URL to any datagrid page containing malicious code in a column > sorting value. If the user visits that URL and then clicks that column, the code > will execute. > > The cause of the vulnerability was due to a template not escaping user-provided > values. > > This vulnerability was reported by Jose Carlos Exposito Bueno (0xlabs). > > [1] https://www.reviewboard.org/docs/releasenotes/djblets/0.9.2/ > > With hat: python > VuXML + MFH?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5464454-75fd-c90f-2596-f066abc5f8f8>