FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  537150
Date:      2020-05-31
Time:      10:53:12Z
Committer: adamw

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
0297b260-2b3b-11e6-ae88-002590263bf5ikiwiki -- XSS vulnerability

Mitre reports:

Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.


Discovery 2016-05-04
Entry 2016-06-05
ikiwiki
lt 3.20160509

CVE-2016-4561
ports/209593
90db9983-2f53-11dd-a0d8-0016d325a0edikiwiki -- cleartext passwords

The ikiwiki development team reports:

Until version 2.48, ikiwiki stored passwords in cleartext in the userdb. That risks exposing all users' passwords if the file is somehow exposed. To pre-emtively guard against that, current versions of ikiwiki store password hashes (using Eksblowfish).


Discovery 2008-05-30
Entry 2008-06-01
ikiwiki
lt 2.48

http://ikiwiki.info/security/#index32h2
6e8f54af-a07d-11de-a649-000c2955660fikiwiki -- insufficient blacklisting in teximg plugin

The IkiWiki development team reports:

IkiWikis teximg plugin's blacklisting of insecure TeX commands is insufficient; it can be bypassed and used to read arbitrary files.


Discovery 2009-08-28
Entry 2009-09-13
ikiwiki
lt 3.1415926

CVE-2009-2944
http://ikiwiki.info/security/#index35h2
739329c8-d8f0-11dc-ac2f-0016d325a0edikiwiki -- javascript insertion via uris

The ikiwiki development team reports:

The htmlscrubber did not block javascript in uris. This was fixed by adding a whitelist of valid uri types, which does not include javascript. Some urls specifyable by the meta plugin could also theoretically have been used to inject javascript; this was also blocked.


Discovery 2008-02-10
Entry 2008-02-11
Modified 2010-05-12
ikiwiki
lt 2.32.3

CVE-2008-0808
http://ikiwiki.info/security/#index30h2
3145faf1-974c-11e0-869e-000c29249b2eikiwiki -- tty hijacking via ikiwiki-mass-rebuild

The IkiWiki development team reports:

Ludwig Nussel discovered a way for users to hijack root's tty when ikiwiki-mass-rebuild was run. Additionally, there was some potential for information disclosure via symlinks.


Discovery 2011-06-08
Entry 2011-06-15
ikiwiki
lt 3.20110608

CVE-2011-1408
http://ikiwiki.info/security/#index40h2
90db9983-2f53-11dd-a0d8-0016d325a0edikiwiki -- cleartext passwords

The ikiwiki development team reports:

Until version 2.48, ikiwiki stored passwords in cleartext in the userdb. That risks exposing all users' passwords if the file is somehow exposed. To pre-emtively guard against that, current versions of ikiwiki store password hashes (using Eksblowfish).


Discovery 2008-05-30
Entry 2008-06-01
ikiwiki
lt 2.48

http://ikiwiki.info/security/#index32h2
5ed094a0-0150-11e7-ae1b-002590263bf5ikiwiki -- multiple vulnerabilities

Mitre reports:

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

When CGI::FormBuilder->field("foo") is called in list context (and in particular in the arguments to a subroutine that takes named arguments), it can return zero or more values for foo from the CGI request, rather than the expected single value. This breaks the usual Perl parsing convention for named arguments, similar to CVE-2014-1572 in Bugzilla (which was caused by a similar API design issue in CGI.pm).


Discovery 2016-12-19
Entry 2017-03-05
ikiwiki
lt 3.20161229

CVE-2016-10026
CVE-2016-9645
CVE-2016-9646
https://ikiwiki.info/security/#index46h2
https://ikiwiki.info/security/#index47h2
8d2c0ce1-08b6-11dd-94b4-0016d325a0edikiwiki -- cross site request forging

The ikiwiki development team reports:

Cross Site Request Forging could be used to construct a link that would change a logged-in user's password or other preferences if they clicked on the link. It could also be used to construct a link that would cause a wiki page to be modified by a logged-in user.


Discovery 2008-04-10
Entry 2008-04-13
Modified 2010-05-12
ikiwiki
lt 2.42

CVE-2008-0165
http://ikiwiki.info/security/#index31h2
3145faf1-974c-11e0-869e-000c29249b2eikiwiki -- tty hijacking via ikiwiki-mass-rebuild

The IkiWiki development team reports:

Ludwig Nussel discovered a way for users to hijack root's tty when ikiwiki-mass-rebuild was run. Additionally, there was some potential for information disclosure via symlinks.


Discovery 2011-06-08
Entry 2011-06-15
ikiwiki
lt 3.20110608

CVE-2011-1408
http://ikiwiki.info/security/#index40h2
7b35a77a-0151-11e7-ae1b-002590263bf5ikiwiki -- authentication bypass vulnerability

ikiwiki reports:

The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder, with a more serious impact:

An attacker who can log in to a site with a password can log in as a different and potentially more privileged user.

An attacker who can create a new account can set arbitrary fields in the user database for that account


Discovery 2017-01-11
Entry 2017-03-05
ikiwiki
lt 3.20170111

CVE-2017-0356
https://ikiwiki.info/security/#index48h2
09066828-2ef1-11dd-a0d8-0016d325a0edikiwiki -- empty password security hole

The ikiwiki development team reports:

This hole allowed ikiwiki to accept logins using empty passwords to openid accounts that didn't use a password.

Upgrading to a non-vulnerable ikiwiki version immediatly is recommended if your wiki allows both password and openid logins.


Discovery 2008-05-30
Entry 2008-05-31
Modified 2010-05-12
ikiwiki
ge 1.34 lt 2.47_1

CVE-2008-0169
http://ikiwiki.info/security/#index33h2
6e8f54af-a07d-11de-a649-000c2955660fikiwiki -- insufficient blacklisting in teximg plugin

The IkiWiki development team reports:

IkiWikis teximg plugin's blacklisting of insecure TeX commands is insufficient; it can be bypassed and used to read arbitrary files.


Discovery 2009-08-28
Entry 2009-09-13
ikiwiki
lt 3.1415926

CVE-2009-2944
http://ikiwiki.info/security/#index35h2
8d2c0ce1-08b6-11dd-94b4-0016d325a0edikiwiki -- cross site request forging

The ikiwiki development team reports:

Cross Site Request Forging could be used to construct a link that would change a logged-in user's password or other preferences if they clicked on the link. It could also be used to construct a link that would cause a wiki page to be modified by a logged-in user.


Discovery 2008-04-10
Entry 2008-04-13
Modified 2010-05-12
ikiwiki
lt 2.42

CVE-2008-0165
http://ikiwiki.info/security/#index31h2
09066828-2ef1-11dd-a0d8-0016d325a0edikiwiki -- empty password security hole

The ikiwiki development team reports:

This hole allowed ikiwiki to accept logins using empty passwords to openid accounts that didn't use a password.

Upgrading to a non-vulnerable ikiwiki version immediatly is recommended if your wiki allows both password and openid logins.


Discovery 2008-05-30
Entry 2008-05-31
Modified 2010-05-12
ikiwiki
ge 1.34 lt 2.47_1

CVE-2008-0169
http://ikiwiki.info/security/#index33h2
739329c8-d8f0-11dc-ac2f-0016d325a0edikiwiki -- javascript insertion via uris

The ikiwiki development team reports:

The htmlscrubber did not block javascript in uris. This was fixed by adding a whitelist of valid uri types, which does not include javascript. Some urls specifyable by the meta plugin could also theoretically have been used to inject javascript; this was also blocked.


Discovery 2008-02-10
Entry 2008-02-11
Modified 2010-05-12
ikiwiki
lt 2.32.3

CVE-2008-0808
http://ikiwiki.info/security/#index30h2