CVE-2010-3906
published 2010-12-17CVE-2010-3906: Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp…
PriorityP425medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.61%
92.0th percentile
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
Affected
143 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | < git 1:1.7.2.3-2.2 (bookworm) | git 1:1.7.2.3-2.2 (bookworm) |
| git-scm | git | <= 1.7.3.3 | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git-scm | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
| git | git | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
(gitweb): XSS due to missing escaping of HTML element attributes
vendor_redhat·2010-12-15·CVSS 4.3
CVE-2010-3906 [MEDIUM] CWE-79 (gitweb): XSS due to missing escaping of HTML element attributes
(gitweb): XSS due to missing escaping of HTML element attributes
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
Debian
CVE-2010-3906: git - Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows re...
vendor_debian·2010·CVSS 4.3
CVE-2010-3906 [MEDIUM] CVE-2010-3906: git - Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows re...
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
Scope: local
bookworm: resolved (fixed in 1:1.7.2.3-2.2)
bullseye: resolved (fixed in 1:1.7.2.3-2.2)
forky: resolved (fixed in 1:1.7.2.3-2.2)
sid: resolved (fixed in 1:1.7.2.3-2.2)
trixie: resolved (fixed in 1:1.7.2.3-2.2)
GHSA
GHSA-3mrf-mhch-542p: Cross-site scripting (XSS) vulnerability in Gitweb 1
ghsa_unreviewed·2022-05-13
CVE-2010-3906 [MEDIUM] CWE-79 GHSA-3mrf-mhch-542p: Cross-site scripting (XSS) vulnerability in Gitweb 1
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
OSV
CVE-2010-3906: Cross-site scripting (XSS) vulnerability in Gitweb 1
osv·2010-12-17·CVSS 4.3
CVE-2010-3906 [MEDIUM] CVE-2010-3906: Cross-site scripting (XSS) vulnerability in Gitweb 1
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters.
No detection rules found.
Bugzilla
CVE-2010-3906 Git (gitweb): XSS due to missing escaping of HTML element attributes
bugzilla·2010-12-16·CVSS 4.3
CVE-2010-3906 [MEDIUM] CVE-2010-3906 Git (gitweb): XSS due to missing escaping of HTML element attributes
CVE-2010-3906 Git (gitweb): XSS due to missing escaping of HTML element attributes
Cross-site scripting (XSS) flaw was found in the web
interface of Git distributed revision control system.
A remote attacker could use this flaw to execute arbitrary
HTML or scripting code by providing a certain URL
with specially-crafted values of f and fp variables.
References:
[1] http://www.bugsearch.net/en/11075/gitweb-1733-cross-site-scripting-cve-2010-3906.html?ref=3
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248
Upstream changeset:
[3] http://repo.or.cz/w/git.git/commit/3017ed62f47ce14a959e2d315c434d4980cf4243
Public PoC (from [1]):
http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS]
[XSS] => "> <a
Credit:
Emanuele 'emgent' Gentili
Discussion:
This issue affects the
Bugzilla
CVE-2010-3906 Git (gitweb): XSS by processing unsafe HTML attributes [fedora-all]
bugzilla·2010-12-16·CVSS 4.3
CVE-2010-3906 [MEDIUM] CVE-2010-3906 Git (gitweb): XSS by processing unsafe HTML attributes [fedora-all]
CVE-2010-3906 Git (gitweb): XSS by processing unsafe HTML attributes [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=663609
Please note: this issue affects m
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052518.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/052782.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.htmlhttp://secunia.com/advisories/42645http://secunia.com/advisories/42731http://secunia.com/advisories/42743http://secunia.com/advisories/43457http://www.exploit-db.com/exploits/15744http://www.mandriva.com/security/advisories?name=MDVSA-2010:256http://www.redhat.com/support/errata/RHSA-2010-1003.htmlhttp://www.securityfocus.com/bid/45439http://www.securitytracker.com/id?1024905http://www.vupen.com/english/advisories/2010/3323http://www.vupen.com/english/advisories/2011/0010http://www.vupen.com/english/advisories/2011/0464http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052518.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-January/052782.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.htmlhttp://secunia.com/advisories/42645http://secunia.com/advisories/42731http://secunia.com/advisories/42743http://secunia.com/advisories/43457http://www.exploit-db.com/exploits/15744http://www.mandriva.com/security/advisories?name=MDVSA-2010:256http://www.redhat.com/support/errata/RHSA-2010-1003.htmlhttp://www.securityfocus.com/bid/45439http://www.securitytracker.com/id?1024905http://www.vupen.com/english/advisories/2010/3323http://www.vupen.com/english/advisories/2011/0010http://www.vupen.com/english/advisories/2011/0464
2010-12-17
Published