FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  363221
Date:      2014-07-28
Time:      18:38:13Z
Committer: cs

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d7cd5015-08c9-11da-bc08-0001020eed82gforge -- XSS and email flood vulnerabilities

Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability:

The login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website.

The 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber.


Discovery 2005-07-27
Entry 2005-08-09
gforge
gt 0

14405
CVE-2005-2430
CVE-2005-2431
http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350
fe903533-ff96-4c7a-bd3e-4d40efa71897gforge -- directory traversal vulnerability

An STG Security Advisory reports:

GForge CVS module made by Dragos Moinescu and another module made by Ronald Petty have a directory traversal vulnerability. [...] malicious attackers can read arbitrary directory lists.


Discovery 2005-01-20
Entry 2005-06-03
gforge
lt 4.0

CVE-2005-0299
12318
http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963
fe903533-ff96-4c7a-bd3e-4d40efa71897gforge -- directory traversal vulnerability

An STG Security Advisory reports:

GForge CVS module made by Dragos Moinescu and another module made by Ronald Petty have a directory traversal vulnerability. [...] malicious attackers can read arbitrary directory lists.


Discovery 2005-01-20
Entry 2005-06-03
gforge
lt 4.0

CVE-2005-0299
12318
http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963
d7cd5015-08c9-11da-bc08-0001020eed82gforge -- XSS and email flood vulnerabilities

Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability:

The login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website.

The 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber.


Discovery 2005-07-27
Entry 2005-08-09
gforge
gt 0

14405
CVE-2005-2430
CVE-2005-2431
http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350