CVE-2009-2937
published 2009-09-18CVE-2009-2937: Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venus allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of…
PriorityP423medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
4.50%
90.3th percentile
Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venus allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IMG element in a feed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intertwingly | planet | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
planet: Insufficient escaping of input feeds
vendor_redhat·CVSS 4.3
CVE-2009-2937 [MEDIUM] planet: Insufficient escaping of input feeds
planet: Insufficient escaping of input feeds
Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venus allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IMG element in a feed.
GHSA
GHSA-rx5h-whxq-fw7x: Cross-site scripting (XSS) vulnerability in Planet 2
ghsa_unreviewed·2022-05-02
CVE-2009-2937 [MEDIUM] CWE-79 GHSA-rx5h-whxq-fw7x: Cross-site scripting (XSS) vulnerability in Planet 2
Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venus allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IMG element in a feed.
OSV
CVE-2009-2937: Cross-site scripting (XSS) vulnerability in Planet 2
osv·2009-09-18·CVSS 4.3
CVE-2009-2937 [MEDIUM] CVE-2009-2937: Cross-site scripting (XSS) vulnerability in Planet 2
Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venus allows remote attackers to inject arbitrary web script or HTML via the SRC attribute of an IMG element in a feed.
No detection rules found.
Bugzilla
planet: Insufficient sanitization of "description" part of an "item", when it's not escaped within <![CDATA ... ]]>.
bugzilla·2009-09-25·CVSS 4.3
[MEDIUM] planet: Insufficient sanitization of "description" part of an "item", when it's not escaped within <![CDATA ... ]]>.
planet: Insufficient sanitization of "description" part of an "item", when it's not escaped within .
Stefan Cornelius of Secunia reported that planet fails to sanitize this input:
something something - should be filtered?
while
something something - should be filtered?]]>
is properly filtered.
At least Opera will execute this code.
Discussion:
I think this is a duplicate.
And it is already done.
*** This bug has been marked as a duplicate of bug 522802 ***
---
(In reply to comment #3)
> I think this is a duplicate.
>
> And it is already done.
>
> *** This bug has been marked as a duplicate of 522802 ***
This should be different issue from #CVE-2009-2937, but need more details
from the reporter.
---
Adding the reporter to the CC. Also note that this issue seems to be public:
Bugzilla
CVE-2009-2937 planet: Insufficient escaping of input feeds
bugzilla·2009-09-11·CVSS 4.3
CVE-2009-2937 [MEDIUM] CVE-2009-2937 planet: Insufficient escaping of input feeds
CVE-2009-2937 planet: Insufficient escaping of input feeds
Quoting Debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178
The planet feed aggregator attempts to remove malicious content from
user-submitted feeds. It does a great job, but fails to sanitize
this input:
At least Opera will execute this code.
Discussion:
Patch proposed in the Debian bug report:
--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
# utility method to be called by descendants
attrs = [(k.lower(), v) for k, v in attrs]
attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs]
+
+ for i in xrange (len (attrs)):
+ k,v = attrs[i]
+ if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ):
+ del attrs[i]
+
return attr
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179http://intertwingly.net/blog/2009/09/09/Venus-Updateshttp://lists.planetplanet.org/archives/devel/2009-September/001999.htmlhttp://secunia.com/advisories/36636http://secunia.com/advisories/36766http://www.securityfocus.com/bid/36392https://bugzilla.redhat.com/show_bug.cgi?id=522802https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00504.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-September/msg00525.htmlhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179http://intertwingly.net/blog/2009/09/09/Venus-Updateshttp://lists.planetplanet.org/archives/devel/2009-September/001999.htmlhttp://secunia.com/advisories/36636http://secunia.com/advisories/36766http://www.securityfocus.com/bid/36392https://bugzilla.redhat.com/show_bug.cgi?id=522802https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00504.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-September/msg00525.html
2009-09-18
Published