Upstream information

CVE-2011-2650 at MITRE

Description

Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via a crafted pattern name that is included in an RPM info display.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
SUSE Bugzilla entry: 701816 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Studio Onsite 1.1 [Appliance - Studio]
  • kiwi >= 3.74.2-0.81.8
  • kiwi-desc-isoboot >= 3.74.2-0.81.8
  • kiwi-desc-netboot >= 3.74.2-0.81.8
  • kiwi-desc-oemboot >= 3.74.2-0.81.8
  • kiwi-desc-usbboot >= 3.74.2-0.81.8
  • kiwi-desc-vmxboot >= 3.74.2-0.81.8
  • kiwi-desc-xenboot >= 3.74.2-0.81.8
  • kiwi-doc >= 3.74.2-0.81.8
  • kiwi-tools >= 3.74.2-0.81.8
  • susestudio >= 1.1.4-0.19.2
  • susestudio-clicfs >= 1.1.4-0.19.2
  • susestudio-common >= 1.1.4-0.19.2
  • susestudio-image-helpers >= 1.1.4-0.3.2
  • susestudio-kiwi-runner >= 1.1.4-0.19.2
  • susestudio-rmds >= 1.1.4-0.19.2
  • susestudio-testdrive >= 1.1.4-0.19.2
  • susestudio-thoth >= 1.1.4-0.19.2
  • susestudio-ui-server >= 1.1.4-0.19.2
studioonsite1.1.x86-64
SAT Patch Nr: 4998


Status of this issue by product and package

Product(s) Source package State
SUSE Lifecycle Management Server 1.3 kiwi Released
SUSE Linux Enterprise SDK 11 SP1 kiwi Released