CVE-2006-3695

NameCVE-2006-3695
DescriptionTrac before 0.9.6 does not disable the "raw" or "include" commands when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows remote attackers to read arbitrary files, perform cross-site scripting (XSS) attacks, or cause a denial of service via unspecified vectors. NOTE: this might be related to CVE-2006-3458.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1152

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
trac (PTS)buster1.2.3+dfsg-1fixed
bookworm, sid1.5.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tracsourcesarge0.8.1-3sarge5
tracsource(unstable)0.9.6-1medium

Search for package or bug name: Reporting problems