FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-19 20:48:44 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
d7cd5015-08c9-11da-bc08-0001020eed82	gforge -- XSS and email flood vulnerabilities Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability: The login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website. The 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber. Discovery 2005-07-27 Entry 2005-08-09 gforge gt 0 14405 CVE-2005-2430 CVE-2005-2431 http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350
fe903533-ff96-4c7a-bd3e-4d40efa71897	gforge -- directory traversal vulnerability An STG Security Advisory reports: GForge CVS module made by Dragos Moinescu and another module made by Ronald Petty have a directory traversal vulnerability. [...] malicious attackers can read arbitrary directory lists. Discovery 2005-01-20 Entry 2005-06-03 gforge < 4.0 CVE-2005-0299 12318 http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963

VuXML ID

Description

d7cd5015-08c9-11da-bc08-0001020eed82

gforge -- XSS and email flood vulnerabilities

Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability:

The login form is also vulnerable to XSS (Cross Site Scripting) attacks. This may be used to launch phising attacks by sending HTML e-mails (i.e.: saying that you need to upgrade to the latest GForge version due to a security problem) and putting in the e-mail an HTML link that points to an specially crafted url that inserts an html form in the GForge login page and when the user press the login button, he/she send the credentials to the attackers website.

The 'forgot your password?' feature allows a remote user to load a certain URL to cause the service to send a validation e-mail to the specified user's e-mail address. There is no limit to the number of messages sent over a period of time, so a remote user can flood the target user's secondary e-mail address. E-Mail Flood, E-Mail bomber.

Discovery 2005-07-27
Entry 2005-08-09
gforge

gt 0

14405
CVE-2005-2430
CVE-2005-2431
http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350

fe903533-ff96-4c7a-bd3e-4d40efa71897

gforge -- directory traversal vulnerability

An STG Security Advisory reports:

GForge CVS module made by Dragos Moinescu and another module made by Ronald Petty have a directory traversal vulnerability. [...] malicious attackers can read arbitrary directory lists.

Discovery 2005-01-20
Entry 2005-06-03
gforge

< 4.0

CVE-2005-0299
12318
http://marc.theaimsgroup.com/?l=bugtraq&m=110627132209963