Package: qa.debian.org Severity: normal The following URLs demonstrate that it is possible to inject client side script (such as Javascript) and HTML tags into the HTML form (1) and error message (2) output generated by the "advanced [PTS] subscription" script.
(1) http://packages.qa.debian.org/cgi-bin/pts.cgi?package=%22%3E%3Cscript%3Ealert('XSS')%3B%3C/script%3E%3Cz=%22&what=advanced&email=@ (2) http://packages.qa.debian.org/cgi-bin/pts.cgi?email=%3Cscript%3Ealert('XSS')%3B%3C/script%3E While this is usually handled as a security issue, the implication seems to very small so I'm tagging this as normal gravity. Thanks for reading & possibly fixing, Moritz -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-2-k7 Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
