CVE-2012-3382

Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
monomono
𝑥
≤ 2.10.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mono
bullseye
6.8.0.105+dfsg-3.3~deb11u1
fixed
bookworm
6.8.0.105+dfsg-3.3
fixed
sid
6.12.0.199+dfsg-2
fixed
trixie
6.12.0.199+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mono
precise
Fixed 2.10.8.1-1ubuntu2.2
released
oneiric
Fixed 2.10.5-1ubuntu0.1
released
natty
Fixed 2.6.7-5ubuntu3.1
released
lucid
Fixed 2.4.4~svn151842-1ubuntu4.1
released
hardy
ignored
Common Weakness Enumeration
References
http://www.mandriva.com/security/advisories?name=MDVSA-2012:140
http://www.openwall.com/lists/oss-security/2012/07/06/11
https://bugzilla.novell.com/show_bug.cgi?id=769799
https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2
https://hermes.opensuse.org/messages/15374367
http://www.mandriva.com/security/advisories?name=MDVSA-2012:140
http://www.openwall.com/lists/oss-security/2012/07/06/11
https://bugzilla.novell.com/show_bug.cgi?id=769799
https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2
https://hermes.opensuse.org/messages/15374367