Lucene search

Gentoo FoundationGLSA-202210-07

HistoryOct 16, 2022 - 12:00 a.m.

Deluge: Cross-Site Scripting

2022-10-1600:00:00

Gentoo Foundation

security.gentoo.org

deluge

bittorrent client

xss

crafted torrent file

html

upgrade

net-p2p

version 2.1.1

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.5%

JSON

Background

Deluge is a BitTorrent client.

Description

Deluge does not sufficiently sanitize crafted torrent file data, leading to the application interpreting untrusted data as HTML.

Impact

An attacker can achieve XSS via a crafted torrent file.

Workaround

There is no known workaround at this time.

Resolution

All Deluge users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=net-p2p/deluge-2.1.1"

OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-p2p/deluge< 2.1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	net-p2p/deluge	< 2.1.1	UNKNOWN

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.5%

JSON

Related for GLSA-202210-07