Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Dec 2018 13:29:12 +0000 (UTC)
From:      Tijl Coosemans <tijl@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r487432 - head/security/vuxml
Message-ID:  <201812141329.wBEDTCks058541@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: tijl
Date: Fri Dec 14 13:29:11 2018
New Revision: 487432
URL: https://svnweb.freebsd.org/changeset/ports/487432

Log:
  HTML encode < and > and fix the formatting of the latest typo3 entry.

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Fri Dec 14 13:22:01 2018	(r487431)
+++ head/security/vuxml/vuln.xml	Fri Dec 14 13:29:11 2018	(r487432)
@@ -118,11 +118,14 @@ Notes:
 	  <p>Failing to properly encode user input, login status display is vulnerable to cross-site
 	    scripting in the website frontend. A valid user account is needed in order to exploit this
 	    vulnerability - either a backend user or a frontend user having the possibility to modify
-	    their user profile.
-	    Template patterns that are affected are:
-	    ###FEUSER_[fieldName]### using system extension felogin
-	    <!--###USERNAME###--> for regular frontend rendering (pattern can be defined individually
-	    using TypoScript setting config.USERNAME_substToken)</p>
+	    their user profile.</p>
+	  <p>Template patterns that are affected are:</p>
+	  <ul>
+	    <li>###FEUSER_[fieldName]### using system extension felogin</li>
+	    <li>&lt;!--###USERNAME###--&gt; for regular frontend rendering
+	      (pattern can be defined individually using TypoScript setting
+	      config.USERNAME_substToken)</li>
+	  </ul>
 	  <p>It has been discovered that cookies created in the Install Tool are not hardened to be
 	    submitted only via HTTP. In combination with other vulnerabilities such as cross-site
 	    scripting it can lead to hijacking an active and valid session in the Install Tool.</p>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201812141329.wBEDTCks058541>