[SECURITY] [DSA 2206-1] New mahara packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 2206-1 [email protected] http://www.debian.org/security/ Martin Schulze March 29th, 2011 http://www.debian.org/security/faq -...

Mahara跨站脚本和跨站请求伪造漏洞

Bugtraq ID: 47033 CVE ID：CVE-2011-0439 Mahara是一款开源的电子文件夹，网络日志，履历表生成器和社会化网络系统。 Mahara存在多个输入验证错误，攻击者可以利用漏洞获得敏感信息或劫持目标用户会话。 -应用程序存在跨站请求伪造漏洞，攻击者可以构建恶意链接，诱使管理员访问，删除博客日志。 -通过Pieform选择框选项传递的输入在显示给用户之前缺少正确过滤，可被利用注入任意HTML和脚本代码，导致恶意数据查看时在目标用户浏览器上执行恶意代码。 Mahara Mahara 1.3.3 Mahara Mahara 1.2.5 Mahara Mahara...

CVE-2011-0439

CVE-2011-0439 affects Mahara; OpenVAS entries corroborate two issues: (1) XSS via unsanitized input in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4, (2) CVRF-equivalent risk (CVE-2011-0440) where session key checks may fail, enabling blog deletions. CVE-2011-0439’s impact is reflected as part...