SB2019101719 - Cross-site scripting in python2-tkinter (Alpine package)
Published: October 17, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2019-16935)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the server_title field in the XML-RPC server (Lib/DocXMLRPCServer.py) in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=fa2e9ccaee464ee4185696c4ac889805f3814783
- https://git.alpinelinux.org/aports/commit/?id=8135de912b23c9bd9649fa7b6a59ec455529b7af
- https://git.alpinelinux.org/aports/commit/?id=99c195369d53843a8a4f186257072600a773bbde
- https://git.alpinelinux.org/aports/commit/?id=b98b6bd76527ff7e722baece7a94e43ddb008a9d
- https://git.alpinelinux.org/aports/commit/?id=f9cad74766ad5ff7993edff870a528b7fe0369ef
- https://git.alpinelinux.org/aports/commit/?id=fa23adfbfb1cbac13db3251e811e4e0773e8b6b8
- https://git.alpinelinux.org/aports/commit/?id=21e9ba95ddc99b6eba313049d9b465e98d78528e
- https://git.alpinelinux.org/aports/commit/?id=5372bc29f308df62681eb2d705259cd5cc9b5448
- https://git.alpinelinux.org/aports/commit/?id=c01f27f5016fb801d36ffea67177a9f2f6b6f784
- https://git.alpinelinux.org/aports/commit/?id=881a54816216d011d1d27286df2693851c86caef
- https://git.alpinelinux.org/aports/commit/?id=40a4951871b0a2e718de6a07e0772730fc280d06
- https://git.alpinelinux.org/aports/commit/?id=e9bd8a37793b2737c60e8aabb4e30540de6420cc
- https://git.alpinelinux.org/aports/commit/?id=9c34a237cf52d34f870ec322b8a00a19f72b4616
- https://git.alpinelinux.org/aports/commit/?id=a78524311859be920dd94ea73d2b5ba63ec36c31
- https://git.alpinelinux.org/aports/commit/?id=acfecae8b1c02f9e1c60fd86eedbd287c2041972
- https://git.alpinelinux.org/aports/commit/?id=5ac7d9845072728829c7c7baa416b73cfd04dee9
- https://git.alpinelinux.org/aports/commit/?id=32551f10cc7789a36283459beaadc2c6a9be0101
- https://git.alpinelinux.org/aports/commit/?id=df74bb35f4ace14f0d6d6edbeca3fc6f1e74d66a