Detections
Analytics

BuildBot WebStatus waterfall 'branch' Parameter XSS

medium Nessus Plugin ID 42346

Language:

Synopsis

An application running on the remote web server has a cross-site scripting vulnerability.

Description

The version of BuildBot WebStatus running on the remote host has a cross-site scripting vulnerability. Input to the 'branch' parameter of the '/waterfall/help' page is not properly sanitized. A remote attacker could exploit this by tricking a user into requesting a malicious URL, which could result in the execution of arbitrary script code.

This version of BuildBot has several other cross-site scripting vulnerabilities, though Nessus has not checked for those issues.

Solution

Upgrade to BuildBot 0.7.11p3 or later.

See Also

http://www.nessus.org/u?496926b6

http://buildbot.net/trac#SecurityAlert

Plugin Details

Severity: Medium

ID: 42346

File Name: buildbot_waterfall_help_xss.nasl

Version: 1.12

Type: remote

Published: 11/3/2009

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: www/buildbot_webstatus

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 8/14/2009

Vulnerability Publication Date: 8/12/2009

Reference Information

CVE: CVE-2009-2959

BID: 36100

CWE: 79

Secunia: 36352