Bug 28615

Summary: velocity-tools new security issue CVE-2020-13959
Product: Mageia Reporter: Nicolas Lécureuil <mageia>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: velocity-tools-2.0-18.mga7.src.rpm CVE:
Status comment:

Description Nicolas Lécureuil 2021-03-19 03:07:53 CET 
The default error page for VelocityView reflects back the vm file that
was entered as part of the URL.  An attacker can set an XSS payload
file as this vm file in the URL which results in this payload being
executed.

XSS vulnerabilities allow attackers to execute arbitrary JavaScript in
the context of the attacked website and the attacked user. This can be
abused to steal session cookies, perform requests in the name of the
victim or for phishing attacks.
Comment 1 Nicolas Lécureuil 2021-03-19 03:08:30 CET 
fixed in mga7:

src:
    - velocity-tools-2.0-18.1.mga7

Assignee: bugsquad => qa-bugs

Nicolas Lécureuil 2021-03-19 03:11:47 CET

Assignee: qa-bugs => mageia

Comment 2 David Walser 2021-03-19 05:38:57 CET 
Please provide a reference.
Comment 3 Nicolas Lécureuil 2021-03-19 09:39:26 CET 
https://www.openwall.com/lists/oss-security/2021/03/10/2
David Walser 2021-03-30 23:20:28 CEST

Source RPM: (none) => velocity-tools-2.0-18.mga7.src.rpm
Summary: Security issue in velocity-tools CVE-2020-13959 => velocity-tools new security issue CVE-2020-13959

Comment 4 David Walser 2021-05-28 00:30:38 CEST 
Debian-LTS has issued an advisory for this on March 17:
https://www.debian.org/lts/security/2021/dla-2597
Comment 5 David Walser 2021-07-01 18:30:45 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED