Apologies if you've received duplicate e-mail from me, but I haven't
received any response from the LXR SourceForge e-mail addresses.
There are several cross-site scripting vulnerabilities in LXR. These
vulnerabilities could allow an attacker to execute scripts in a user's
browser, steal cookies associated with vulnerable domains,
redirect the user to malicious websites, etc. A proof-of-concept
URL may look like:
I have confirmed these vulnerabilities in LXR 0.9.6 and 0.9.5. The
experimental LXR installation in use at lxr.linux.no is also vulnerable
with certain settings.
This issue has been assigned CVE-2009-4497. I have written a patch
for this issue, and I'd be happy to work with you to resolve the problem.
Please reply to discuss fixing and publishing this bug.