4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
67.8%
A directory traversal and information disclosure (local file inclusion) flaws were found in the cssgen contrib module (application to generate custom CSS files) of GeSHi, a generic syntax highlighter, performed sanitization of ‘geshi-path’ and ‘geshi-lang-path’ HTTP GET / POST variables. A remote attacker could provide a specially-crafted URL that, when visited could lead to local file system traversal or, potentially, ability to read content of any local file, accessible with the privileges of the user running the webserver (CVE-2012-3251). A cross-site scripting (XSS) flaw was found in the way ‘langwiz’ example script of GeSHi, a generic syntax highlighter, performed sanitization of certain HTTP GET / POST request variables (prior dumping their content). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution (CVE-2012-3522).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 2 | noarch | php-geshi | < 1.0.8.11-1 | php-geshi-1.0.8.11-1.mga2 |