CVE-2012-3522
published 2014-06-13CVE-2012-3522: Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before 1.0.8.11 allows remote attackers to inject arbitrary web script or HTML via…
PriorityP417medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.24%
65.4th percentile
Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before 1.0.8.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | geshi | — | — |
| geshi | geshi | >= 0 < 1.0.8.11 | 1.0.8.11 |
| qbnz | geshi | <= 1.0.8.10 | — |
| qbnz | geshi | — | — |
| qbnz | geshi | — | — |
| qbnz | geshi | — | — |
| qbnz | geshi | — | — |
| qbnz | geshi | — | — |
| qbnz | geshi | — | — |
| qbnz | geshi | >= 0 < 1.0.8.11-2 | 1.0.8.11-2 |
| qbnz | geshi | >= 0 < 1.0.8.11-2 | 1.0.8.11-2 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
GeSHi vulnerable to Cross-site Scripting
osv·2022-05-17
CVE-2012-3522 [MEDIUM] GeSHi vulnerable to Cross-site Scripting
GeSHi vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before 1.0.8.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
GHSA
GeSHi vulnerable to Cross-site Scripting
ghsa·2022-05-17
CVE-2012-3522 [MEDIUM] CWE-79 GeSHi vulnerable to Cross-site Scripting
GeSHi vulnerable to Cross-site Scripting
Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before 1.0.8.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
OSV
CVE-2012-3522: Cross-site scripting (XSS) vulnerability in contrib/langwiz
osv·2014-06-13·CVSS 4.3
CVE-2012-3522 [MEDIUM] CVE-2012-3522: Cross-site scripting (XSS) vulnerability in contrib/langwiz
Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before 1.0.8.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Debian
CVE-2012-3522: geshi - Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before ...
vendor_debian·2012·CVSS 4.3
CVE-2012-3522 [MEDIUM] CVE-2012-3522: geshi - Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before ...
Cross-site scripting (XSS) vulnerability in contrib/langwiz.php in GeSHi before 1.0.8.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-3521 CVE-2012-3522 php-geshi: Various flaws [fedora-all]
bugzilla·2012-08-21·CVSS 5.0
CVE-2012-3521 [MEDIUM] CVE-2012-3521 CVE-2012-3522 php-geshi: Various flaws [fedora-all]
CVE-2012-3521 CVE-2012-3522 php-geshi: Various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=8504
Bugzilla
CVE-2012-3522 php-geshi: Non-persistent XSS in langwiz contrib script
bugzilla·2012-08-21·CVSS 4.3
CVE-2012-3522 [MEDIUM] CVE-2012-3522 php-geshi: Non-persistent XSS in langwiz contrib script
CVE-2012-3522 php-geshi: Non-persistent XSS in langwiz contrib script
A cross-site scripting (XSS) flaw was found in the way 'langwiz' example script of GeSHi, a generic syntax highlighter, performed sanitization of certain HTTP GET / POST request variables (prior dumping their content). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution.
References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323
Relevant upstream patch (according to clarification by Raphael Geissert in
http://www.openwall.com/lists/oss-security/2012/08/21/9):
[2] http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision&revision=2508
Discussion:
This issue affects the versions of the php-geshi package, as shipped with Fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105247.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/105273.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/105317.htmlhttp://sourceforge.net/p/geshi/code/2508/http://www.openwall.com/lists/oss-security/2012/08/21/11http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105247.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/105273.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/105317.htmlhttp://sourceforge.net/p/geshi/code/2508/http://www.openwall.com/lists/oss-security/2012/08/21/11
2014-06-13
Published