CVE-2011-0728 — Loggerhead XSS via filename

Description

Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view.

How to fix CVE-2011-0728

To remediate CVE-2011-0728, upgrade the affected package to a fixed version below.

Debian/loggerhead—upgrade to 1.18.1-1 or later
PyPI/loggerhead—upgrade to 1.18.1 or later

Is CVE-2011-0728 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.18.1-1
from 0, < 1.18.1

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-0728
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-0728
WEBlists.fedoraproject.org/pipermail/package-announce/2011-April/057413.html
WEBlists.fedoraproject.org/pipermail/package-announce/2011-April/057479.html