Vulnerability Details : CVE-2011-2711
Cross-site scripting (XSS) vulnerability in the print_fileinfo function in ui-diff.c in cgit 0.9.0.2 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the filename associated with the rename hint.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2011-2711
- cpe:2.3:a:lars_hjemli:cgit:*:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:lars_hjemli:cgit:0.8.3.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-2711
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-2711
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2011-2711
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2711
-
http://hjemli.net/pipermail/cgit/2011-July/000276.html
404 Not FoundPatch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/68754
cgit rename hint script cross-site scripting CVE-2011-2711 Vulnerability Report
-
https://bugzilla.redhat.com/show_bug.cgi?id=725042
725042 – (CVE-2011-2711) CVE-2011-2711 cgit: XSS flaw in rename hintPatch
-
http://www.openwall.com/lists/oss-security/2011/07/22/7
oss-security - Re: CVE Request -- cGit -- XSS flaw in rename hintPatch
-
http://www.openwall.com/lists/oss-security/2011/07/24/3
oss-security - Re: Re: CVE Request -- cGit -- XSS flaw in rename hintPatch
-
http://hjemli.net/git/cgit/commit/?h=stable&id=bebe89d7c11a92bf206bf6e528c51ffa8ecbc0d5
404 Not FoundPatch
-
http://www.openwall.com/lists/oss-security/2011/07/22/2
oss-security - CVE Request -- cGit -- XSS flaw in rename hintPatch
-
http://www.openwall.com/lists/oss-security/2011/07/22/6
oss-security - Re: CVE Request -- cGit -- XSS flaw in rename hint
-
http://www.openwall.com/lists/oss-security/2011/07/24/4
oss-security - Re: Re: CVE Request -- cGit -- XSS flaw in rename hintPatch
-
https://hermes.opensuse.org/messages/10998459
openSUSE.org - 503
-
http://www.securityfocus.com/bid/48866
cgit HTML Injection Vulnerability
Jump to