CVE-2010-1459

Publication date 27 May 2010

Last updated 24 July 2024

The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mono	12.04 LTS precise	Not affected
	11.10 oneiric	Not affected
	11.04 natty	Not affected
	10.10 maverick	Not affected
	10.04 LTS lucid	Fixed 2.4.4~svn151842-1ubuntu4.1
	9.10 karmic	Ignored
	9.04 jaunty	Ignored
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Ignored

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
mono	Vendor: http://git.debian.org/?p=pkg-mono/packages/mono.git;a=patch;h=e861cd1186ee640856a4533b5ee349394fa67193 Vendor: http://git.debian.org/?p=pkg-mono/packages/mono.git;a=patch;h=871872741c2d8f6c6325997c44c6f09b7a94dc14 Vendor: https://bugzilla.redhat.com/attachment.cgi?id=418328&action=diff&context=patch&collapsed=&headers=1&format=raw

CVE-2010-1459

Status

Patch details

References

Other references