CVE-2009-2324

Name	CVE-2009-2324
Description	Multiple cross-site scripting (XSS) vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to inject arbitrary web script or HTML via components in the samples (aka _samples) directory.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1836-1
Debian Bugs	536051

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
moin (PTS)	buster, buster (security)	1.9.9-1+deb10u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
egroupware	source	(unstable)	(not affected)
fckeditor	source	lenny	1:2.6.2-1lenny1		DSA-1836-1
fckeditor	source	(unstable)	1:2.6.4.1-1	low		536051
gforge	source	etch	(not affected)
gforge	source	(unstable)	4.6.99+svn6225-1
karrigell	source	etch	(not affected)
karrigell	source	(unstable)	(unfixed)
knowledgeroot	source	etch	(not affected)
knowledgeroot	source	(unstable)	0.9.8.5-3
moin	source	etch	(not affected)
moin	source	(unstable)	1.8.2-2
request-tracker3.8	source	(unstable)	(not affected)

Notes

moin from 1.8.2-2 uses systemwide copy of fckeditor
[lenny] - moin <no-dsa> (unimportant; provides FCKeditor as example files in /usr/share/doc, but not executable in general case)
[etch] - moin <not-affected> (doesn't provide FCKeditor sample files)
knowledgeroot from 0.9.8.5-3 uses systemwide copy of fckeditor
[etch] - knowledgeroot <not-affected> (doesn't provide FCKeditor sample files)
[etch] - karrigell <not-affected> (doesn't provide FCKeditor sample files)
[etch] - gforge <not-affected> (doesn't contain FCKeditor)
- egroupware <not-affected> (doesn't provide FCKeditor sample files)
- request-tracker3.8 <not-affected> (doesn't provide FCKeditor sample files)