952842 – (CVE-2015-5667) VUL-0: CVE-2015-5667: perl-HTML-Scrubber: XSS vulnerability when function "comment" is enabled

Bug 952842 (CVE-2015-5667) - VUL-0: CVE-2015-5667: perl-HTML-Scrubber: XSS vulnerability when function "comment" is enabled

Summary: VUL-0: CVE-2015-5667: perl-HTML-Scrubber: XSS vulnerability when function "co...

Status:	RESOLVED FIXED

Alias:	CVE-2015-5667

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.2

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	James Oakley
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/158408/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-10-30 13:22 UTC by Johannes Segitz
Modified:	2017-08-15 09:16 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-10-30 13:22:47 UTC

rh#1276646

A cross-site cripting vulnerability was found in HTML::Scrubber Perl module. If the function "comment" is enabled, an arbitrary script may be executed on the user's web browser. Affects versions 0.14 and earlier.

Upstream patch:

https://github.com/nigelm/html-scrubber/commit/e1978cc37867e85c06a84a4651745235010cd6cd

openSUSE only. Factory is fixed, 13.1, 13.2 and Leap need the fix

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1276646
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5667
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667

Comment 1 Swamp Workflow Management 2015-10-30 23:00:36 UTC

bugbot adjusting priority

Comment 2 Johannes Segitz 2017-08-15 09:16:12 UTC

0.15 in Factory and Leap