{"id":"MGASA-2013-0163","summary":"Updated php-geshi package fix security vulnerabilities","details":"A directory traversal and information disclosure (local file inclusion) flaws\nwere found in the cssgen contrib module (application to generate custom CSS\nfiles) of GeSHi, a generic syntax highlighter, performed sanitization of\n'geshi-path' and 'geshi-lang-path' HTTP GET / POST variables. A remote\nattacker could provide a specially-crafted URL that, when visited could lead\nto local file system traversal or, potentially, ability to read content of\nany local file, accessible with the privileges of the user running the\nwebserver (CVE-2012-3251).\n\nA cross-site scripting (XSS) flaw was found in the way 'langwiz' example\nscript of GeSHi, a generic syntax highlighter, performed sanitization of\ncertain HTTP GET / POST request variables (prior dumping their content). A\nremote attacker could provide a specially-crafted URL that, when visited\nwould lead to arbitrary HTML or web script execution (CVE-2012-3522).\n","modified":"2026-04-16T06:22:57.666947476Z","published":"2013-06-06T12:24:33Z","upstream":["CVE-2012-3251","CVE-2012-3522"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0163.html"},{"type":"WEB","url":"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105247.html"}],"affected":[{"package":{"name":"php-geshi","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/php-geshi?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.8.11-1.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0163.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}