PYSEC-2006-2

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/trac/PYSEC-2006-2.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2006-2

Aliases

CVE-2006-3695
GHSA-r524-c2gf-5chr

Published

2006-07-21T14:03:00Z

Modified

2024-04-29T15:11:44.852085Z

Summary

[none]

Details

Trac before 0.9.6 does not disable the "raw" or "include" commands when providing untrusted users with restructured text (reStructuredText) functionality from docutils, which allows remote attackers to read arbitrary files, perform cross-site scripting (XSS) attacks, or cause a denial of service via unspecified vectors. NOTE: this might be related to CVE-2006-3458.

References

http://trac.edgewall.org/wiki/ChangeLog
http://securitytracker.com/id?1016457
http://www.debian.org/security/2006/dsa-1152
http://secunia.com/advisories/20958
http://secunia.com/advisories/21534
http://www.securityfocus.com/bid/18323
http://www.vupen.com/english/advisories/2006/2729
https://exchange.xforce.ibmcloud.com/vulnerabilities/27708
https://exchange.xforce.ibmcloud.com/vulnerabilities/27706

Affected packages

PyPI / trac

Package

Name: trac; View open source insights on deps.dev
Purl: pkg:pypi/trac

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.6

Affected versions

0.*

0.8.4

0.9