FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-19 19:12:13 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
7b35a77a-0151-11e7-ae1b-002590263bf5ikiwiki -- authentication bypass vulnerability

ikiwiki reports:

The ikiwiki maintainers discovered further flaws similar to CVE-2016-9646 in the passwordauth plugin's use of CGI::FormBuilder, with a more serious impact:

An attacker who can log in to a site with a password can log in as a different and potentially more privileged user.

An attacker who can create a new account can set arbitrary fields in the user database for that account


Discovery 2017-01-11
Entry 2017-03-05
ikiwiki
< 3.20170111

CVE-2017-0356
https://ikiwiki.info/security/#index48h2
5ed094a0-0150-11e7-ae1b-002590263bf5ikiwiki -- multiple vulnerabilities

Mitre reports:

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

When CGI::FormBuilder->field("foo") is called in list context (and in particular in the arguments to a subroutine that takes named arguments), it can return zero or more values for foo from the CGI request, rather than the expected single value. This breaks the usual Perl parsing convention for named arguments, similar to CVE-2014-1572 in Bugzilla (which was caused by a similar API design issue in CGI.pm).


Discovery 2016-12-19
Entry 2017-03-05
ikiwiki
< 3.20161229

CVE-2016-10026
CVE-2016-9645
CVE-2016-9646
https://ikiwiki.info/security/#index46h2
https://ikiwiki.info/security/#index47h2