FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|5ed094a0-0150-11e7-ae1b-002590263bf5||ikiwiki -- multiple vulnerabilities|
ikiwiki 3.20161219 does not properly check if a revision changes
the access permissions for a page on sites with the git and
recentchanges plugins and the CGI interface enabled, which allows
remote attackers to revert certain changes by leveraging permissions
to change the page before the revision was made.
When CGI::FormBuilder->field("foo") is called in list context
(and in particular in the arguments to a subroutine that takes named
arguments), it can return zero or more values for foo from the CGI
request, rather than the expected single value. This breaks the
usual Perl parsing convention for named arguments, similar to
CVE-2014-1572 in Bugzilla (which was caused by a similar API design
issue in CGI.pm).
|0297b260-2b3b-11e6-ae88-002590263bf5||ikiwiki -- XSS vulnerability|
Cross-site scripting (XSS) vulnerability in the cgierror function
in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers
to inject arbitrary web script or HTML via unspecified vectors
involving an error message.
|7b35a77a-0151-11e7-ae1b-002590263bf5||ikiwiki -- authentication bypass vulnerability|
The ikiwiki maintainers discovered further flaws similar to
CVE-2016-9646 in the passwordauth plugin's use of
CGI::FormBuilder, with a more serious impact:
An attacker who can log in to a site with a password can log in as
a different and potentially more privileged user.
An attacker who can create a new account can set arbitrary fields
in the user database for that account