Описание
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| gi-docgen | fixed | 2025.5-1 | package | |
| gi-docgen | no-dsa | trixie | package | |
| gi-docgen | no-dsa | bookworm | package |
Примечания
https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228
https://gitlab.gnome.org/GNOME/gi-docgen/-/merge_requests/254
Fixed by: https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/c53d2640bfa5823bbdf33683d95c160267c0ec68 (2025.5)
Связанные уязвимости
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
GI-DocGen vulnerable to Reflected XSS via unescaped query strings