Mandriva Linux Security Advisory : mono (MDVSA-2012:140)

medium Nessus Plugin ID 61985

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

A vulnerability has been discovered and corrected in mono :

Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message (CVE-2012-3382).

The updated packages have been patched to correct this issue.

Solution

Update the affected packages.

Plugin Details

Severity: Medium

ID: 61985

File Name: mandriva_MDVSA-2012-140.nasl

Version: 1.7

Type: local

Published: 9/6/2012

Updated: 1/6/2021

Risk Information

VPR

Risk Factor: Low

Score: 3

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: E:F/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64mono-devel, p-cpe:/a:mandriva:linux:lib64mono0, p-cpe:/a:mandriva:linux:lib64mono2.0_1, p-cpe:/a:mandriva:linux:libmono-devel, p-cpe:/a:mandriva:linux:libmono0, p-cpe:/a:mandriva:linux:libmono2.0_1, p-cpe:/a:mandriva:linux:mono, p-cpe:/a:mandriva:linux:mono-2.0, p-cpe:/a:mandriva:linux:mono-4.0, p-cpe:/a:mandriva:linux:mono-compat, p-cpe:/a:mandriva:linux:mono-data, p-cpe:/a:mandriva:linux:mono-data-2.0, p-cpe:/a:mandriva:linux:mono-data-4.0, p-cpe:/a:mandriva:linux:mono-data-compat, p-cpe:/a:mandriva:linux:mono-doc, p-cpe:/a:mandriva:linux:mono-extras, p-cpe:/a:mandriva:linux:mono-extras-2.0, p-cpe:/a:mandriva:linux:mono-extras-4.0, p-cpe:/a:mandriva:linux:mono-extras-compat, p-cpe:/a:mandriva:linux:mono-locale-extras, p-cpe:/a:mandriva:linux:mono-locale-extras-2.0, p-cpe:/a:mandriva:linux:mono-locale-extras-4.0, p-cpe:/a:mandriva:linux:mono-locale-extras-compat, p-cpe:/a:mandriva:linux:mono-nunit, p-cpe:/a:mandriva:linux:mono-wcf, p-cpe:/a:mandriva:linux:mono-wcf-2.0, p-cpe:/a:mandriva:linux:mono-wcf-4.0, p-cpe:/a:mandriva:linux:mono-web, p-cpe:/a:mandriva:linux:mono-web-2.0, p-cpe:/a:mandriva:linux:mono-web-4.0, p-cpe:/a:mandriva:linux:mono-web-compat, p-cpe:/a:mandriva:linux:mono-winforms, p-cpe:/a:mandriva:linux:mono-winforms-2.0, p-cpe:/a:mandriva:linux:mono-winforms-4.0, p-cpe:/a:mandriva:linux:mono-winforms-compat, p-cpe:/a:mandriva:linux:mono-winfxcore, p-cpe:/a:mandriva:linux:mono-winfxcore-2.0, p-cpe:/a:mandriva:linux:mono-winfxcore-4.0, p-cpe:/a:mandriva:linux:monodoc-core, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/20/2012

Reference Information

CVE: CVE-2012-3382

BID: 54344

MDVSA: 2012:140