CVE-2012-4037

Priority
Medium
Description
Multiple cross-site scripting (XSS) vulnerabilities in the web client in
Transmission before 2.61 allow remote attackers to inject arbitrary web
script or HTML via the (1) comment, (2) created by, or (3) name field in a
torrent file.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4037
http://www.madirish.net/541
http://secunia.com/advisories/50027
http://archives.neohapsis.com/archives/fulldisclosure/2012-07/0349.html
http://www.ubuntu.com/usn/usn-1584-1
Bugs
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683380
https://trac.transmissionbt.com/ticket/4979
Notes
mdeslaur> can't reproduce in oneiric and earlier
Assigned-to
mdeslaur
Package
Source: transmission (LP Ubuntu Debian)
Upstream:released (2.52-3,2.61)
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 11.04 (Natty Narwhal):not-affected
Ubuntu 11.10 (Oneiric Ocelot):not-affected
Ubuntu 12.04 LTS (Precise Pangolin):released (2.51-0ubuntu1.1)
Ubuntu 12.10 (Quantal Quetzal):not-affected (2.61-0ubuntu1)
Patches:
Upstream:https://trac.transmissionbt.com/changeset/13392
Vendor:http://patch-tracker.debian.org/patch/series/view/transmission/2.52-3/fix_xss_web_client.patch
More Information

Valid XHTML 1.0 Strict

Updated: 2012-09-26 15:14:27 UTC (commit 5820)