I'll add to this bug instead of making a new one.
/cgi-bin/cookies.cgi contains XSS (persistent via cookie) and Header
injection vulnerabilities in vars repeatmerged, terse, reverse, trim,
oldview
XSS PoC:
https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%3Cscript%3Ealert('xss')%3B%3C/script%3E
Header injection PoC:
https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%0aLocation%3A%20http%3A%2F%2Fgoogle.com%2F%0a
-v
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org