PublicDate: 2008-07-31 21:41:00 UTC
Candidate: CVE-2008-3422
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3422
 https://ubuntu.com/security/notices/USN-826-1
Description:
 Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net class
 libraries in Mono 2.0 and earlier allow remote attackers to inject
 arbitrary web script or HTML via crafted attributes related to (1)
 HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs
 (RenderAttributes), (3) HtmlInputButton (RenderAttributes), (4)
 HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect
 (RenderChildren).
Ubuntu-Description:
Notes:
Bugs:
 https://bugzilla.novell.com/show_bug.cgi?id=413534
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494406
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_mono:
 other: http://n2.nabble.com/-PATCH--HTML-encode-attributes-that-might-need-encoding-td584193.html
 vendor: http://svn.debian.org/wsvn/pkg-mono/migrated-to-git/mono/trunk/debian/patches/fix_sloppy_attribute_encode_CVE-2008-3422.dpatch
 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=109349 (trunk)
 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=109348 (2.0)
 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=109358 (1.9)
 upstream: http://anonsvn.mono-project.com/viewvc?view=rev&revision=110144 (1.2.5)
upstream_mono: needs-triage
dapper_mono: ignored (reached end-of-life)
feisty_mono: needed (reached end-of-life)
gutsy_mono: needed (reached end-of-life)
hardy_mono: released (1.2.6+dfsg-6ubuntu3.1)
intrepid_mono: not-affected (1.9.1+dfsg-4ubuntu2)
jaunty_mono: not-affected (2.0.1-4)
devel_mono: not-affected (2.4.2.3+dfsg-1)