I'll add to this bug instead of making a new one. /cgi-bin/cookies.cgi contains XSS (persistent via cookie) and Header injection vulnerabilities in vars repeatmerged, terse, reverse, trim, oldview
XSS PoC: https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%3Cscript%3Ealert('xss')%3B%3C/script%3E Header injection PoC: https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%0aLocation%3A%20http%3A%2F%2Fgoogle.com%2F%0a -v -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
