CVE-2014-3207

NameCVE-2014-3207
DescriptionCross-site scripting (XSS) vulnerability in wserver.ml in SKS Keyserver before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to pks/lookup/undefined1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs746626

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sks (PTS)jessie1.1.5-3fixed
stretch1.1.6-4fixed
buster, sid1.1.6-14fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
skssource(unstable)1.1.5-1low746626
skssourcewheezy1.1.3-2+deb7u1medium

Notes

[squeeze] - sks <no-dsa> (Minor issue)
https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss
https://bugzilla.mozilla.org/show_bug.cgi?id=952077

Search for package or bug name: Reporting problems