{ "schema_version": "1.7.0", "id": "MGASA-2013-0163", "published": "2013-06-06T12:24:33Z", "modified": "2013-06-18T15:55:08Z", "summary": "Updated php-geshi package fix security vulnerabilities", "details": "A directory traversal and information disclosure (local file inclusion) flaws\nwere found in the cssgen contrib module (application to generate custom CSS\nfiles) of GeSHi, a generic syntax highlighter, performed sanitization of\n'geshi-path' and 'geshi-lang-path' HTTP GET / POST variables. A remote\nattacker could provide a specially-crafted URL that, when visited could lead\nto local file system traversal or, potentially, ability to read content of\nany local file, accessible with the privileges of the user running the\nwebserver (CVE-2012-3251).\n\nA cross-site scripting (XSS) flaw was found in the way 'langwiz' example\nscript of GeSHi, a generic syntax highlighter, performed sanitization of\ncertain HTTP GET / POST request variables (prior dumping their content). A\nremote attacker could provide a specially-crafted URL that, when visited\nwould lead to arbitrary HTML or web script execution (CVE-2012-3522).\n", "upstream": [ "CVE-2012-3251", "CVE-2012-3522" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2013-0163.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105247.html" } ], "affected": [ { "package": { "ecosystem": "Mageia:2", "name": "php-geshi", "purl": "pkg:rpm/mageia/php-geshi?arch=source&distro=mageia-2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.8.11-1.mga2" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }