Date: Fri, 14 Dec 2018 14:30:52 +0100 From: =?UTF-8?B?VMSzbA==?= Coosemans <tijl@FreeBSD.org> To: Jochen Neumeister <joneum@FreeBSD.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: Re: svn commit: r487425 - head/security/vuxml Message-ID: <20181214143052.2e098401@kalimero.tijl.coosemans.org> In-Reply-To: <201812141157.wBEBvJvS010416@repo.freebsd.org> References: <201812141157.wBEBvJvS010416@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Dec 2018 11:57:19 +0000 (UTC) Jochen Neumeister <joneum@FreeBSD.org> wrote: > Author: joneum > Date: Fri Dec 14 11:57:19 2018 > New Revision: 487425 > URL: https://svnweb.freebsd.org/changeset/ports/487425 > > Log: > Add entry for typo3-8 and typo3-9 > > PR: 233935 233936 > Sponsored by: Netzkommune GmbH > > Modified: > head/security/vuxml/vuln.xml > > Modified: head/security/vuxml/vuln.xml > ============================================================================== > --- head/security/vuxml/vuln.xml Fri Dec 14 11:28:43 2018 (r487424) > +++ head/security/vuxml/vuln.xml Fri Dec 14 11:57:19 2018 (r487425) > @@ -58,6 +58,68 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid="bab29816-ff93-11e8-b05b-00e04c1ea73d"> > + <topic>typo3 -- multiple vulnerabilities</topic> > + <affects> > + <package> > + <name>typo3-8</name> > + <range><lt>8.7.21</lt></range> > + </package> > + <package> > + <name>typo3-9</name> > + <range><lt>9.5.2</lt></range> > + </package> > + </affects> > + <description> > + <body xmlns="http://www.w3.org/1999/xhtml">; > + <p>Typo3 core team reports:</p> > + <blockquote cite="https://typo3.org/article/typo3-952-8721-and-7632-security-releases-published/">; > + <p>CKEditor 4.11 fixes an XSS vulnerability in the HTML parser reported by maxarr. > + The vulnerability stemmed from the fact that it was possible to execute XSS inside > + the CKEditor source area after persuading the victim to: (i) switch CKEditor to > + source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, > + into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. > + Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.</p> > + <p>Failing to properly encode user input, online media asset rendering > + (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user > + account or write access on the server system (e.g. SFTP) is needed in order to exploit this > + vulnerability.</p> > + <p>Failing to properly encode user input, notifications shown in modal windows in the TYPO3 > + backend are vulnerable to cross-site scripting. A valid backend user account is needed in > + order to exploit this vulnerability.</p> > + <p>Failing to properly encode user input, login status display is vulnerable to cross-site > + scripting in the website frontend. A valid user account is needed in order to exploit this > + vulnerability - either a backend user or a frontend user having the possibility to modify > + their user profile. > + Template patterns that are affected are: > + ###FEUSER_[fieldName]### using system extension felogin > + <!--###USERNAME###--> for regular frontend rendering (pattern can be I've HTML encoded the < and > here in r487432.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181214143052.2e098401>