phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4. phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.
CVE: (none) => CVE-2020-13225
Summary: phpipam security issue CVE-2019-1000010 => phpipam security issue CVE-2019-1000010 CVE-2020-13225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225 Looks like this unmaintained package should be dropped.
Summary: phpipam security issue CVE-2019-1000010 CVE-2020-13225 => phpipam new security issues CVE-2019-1000010 and CVE-2020-13225Whiteboard: (none) => MGA7TOOSource RPM: phpipam-1.1.010-5.mga8.src => phpipam-1.1.010-5.mga8.src.rpmAssignee: bugsquad => mageiaVersion: 7 => Cauldron
latest version is 1.4 from 2019. In maintdb ennael is set as maintainer.
Also imported by dlucio. Neither have been active for years.
hmm, I'm ok with dropping.
ok so we fix for mga7 and drop for cauldron. Seems a good idea :-)
CC: (none) => mageia
new rpm pushed in mageia 7 ( new version 1.4.1 ) it contains even more security fixes amont: Security Fixes: ---------------------------- + SQL injections processing `tableName` (#2738); + SQL injections processing `ftype` (#2751); + All circuits map, PHP object injection (#2937); src: phpipam-1.4.1-1.mga7
Assignee: mageia => qa-bugs
Advisory: ======================== Updated phpipam package fixes security vulnerabilities: phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker (CVE-2019-1000010). phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget (CVE-2020-13225). The phpipam package has been updated to version 1.4.1, which fixes these issues, along with several other security issues and bugs. See the release announcements for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225 https://github.com/phpipam/phpipam/releases ======================== Updated packages in core/updates_testing: ======================== phpipam-1.4.1-1.mga7 from phpipam-1.4.1-1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Installed phpipam and dependencies. Attempted to update using QA Repo and the package name in Comment 7, and I get this: There was a problem during the installation: file /usr/share/phpipam/functions/locale/de_DE from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/en from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/es_ES from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/fr_FR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/nl_NL from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/pt_BR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch file /usr/share/phpipam/functions/locale/sl_SI from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch I think it needs more work...
CC: (none) => andrewsfarm
Sounds like a file type change that needs to be handled in a %pretrans scriplet.
Keywords: (none) => feedback
It's changing the files from being directories to being symlinks to the newly added UTF-8 versions of the files.
CC: (none) => davidwhodgins