FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-djblets -- Self-XSS vulnerability

Affected packages
py27-djblets < 0.9.2
py32-djblets < 0.9.2
py33-djblets < 0.9.2
py34-djblets < 0.9.2
py35-djblets < 0.9.2


VuXML ID df328fac-f942-11e5-92ce-002590263bf5
Discovery 2016-03-01
Entry 2016-04-03

Djblets Release Notes reports:

A recently-discovered vulnerability in the datagrid templates allows an attacker to generate a URL to any datagrid page containing malicious code in a column sorting value. If the user visits that URL and then clicks that column, the code will execute.

The cause of the vulnerability was due to a template not escaping user-provided values.