DescriptionMultiple cross-site scripting (XSS) vulnerabilities in the wiki application in Yaws 1.88 allow remote attackers to inject arbitrary web script or HTML via (1) the tag parameter to editTag.yaws, (2) the index parameter to showOldPage.yaws, (3) the node parameter to allRefsToMe.yaws, or (4) the text parameter to editPage.yaws.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs653966

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
yaws (PTS)stretch2.0.4+dfsg-1fixed
stretch (security)2.0.4+dfsg-1+deb9u1fixed
buster, buster (security)2.0.6+dfsg-1+deb10u1fixed
bookworm, sid2.1.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[squeeze] - yaws <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems