CVE-2010-1459
Published: 27 May 2010
The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project.
Priority
Status
Package | Release | Status |
---|---|---|
mono Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Ignored
(end of life)
|
|
jaunty |
Ignored
(end of life)
|
|
karmic |
Ignored
(end of life)
|
|
lucid |
Released
(2.4.4~svn151842-1ubuntu4.1)
|
|
maverick |
Not vulnerable
(2.6.7-2ubuntu1)
|
|
natty |
Not vulnerable
(2.6.7-2ubuntu1)
|
|
oneiric |
Not vulnerable
(2.6.7-2ubuntu1)
|
|
precise |
Not vulnerable
(2.6.7-2ubuntu1)
|
|
upstream |
Released
(2.6.4)
|
|
Patches: vendor: http://git.debian.org/?p=pkg-mono/packages/mono.git;a=patch;h=e861cd1186ee640856a4533b5ee349394fa67193 vendor: http://git.debian.org/?p=pkg-mono/packages/mono.git;a=patch;h=871872741c2d8f6c6325997c44c6f09b7a94dc14 vendor: https://bugzilla.redhat.com/attachment.cgi?id=418328&action=diff&context=patch&collapsed=&headers=1&format=raw |