CVE-2002-1348

Name	CVE-2002-1348
Description	w3m before 0.3.2.2 does not properly escape HTML tags in the ALT attribute of an IMG tag, which could allow remote attackers to access files or cookies.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
References	DSA-249, DSA-250, DSA-251
NVD severity	medium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
w3m (PTS)	wheezy	0.5.3-8	fixed
	jessie	0.5.3-19+deb8u2	fixed
	buster, sid, stretch	0.5.3-34	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
w3m	source	(unstable)	0.3.2.2-1	medium
w3m	source	woody	0.3-2.4	medium	DSA-251
w3mmee	source	(unstable)	0.3.p24.17-3	medium
w3mmee	source	woody	0.3-2.4	medium	DSA-249