Moderate severityNVD Advisory· Published Aug 25, 2009· Updated Apr 23, 2026

CVE-2009-2959

Description

Cross-site scripting (XSS) vulnerability in the waterfall web status view (status/web/waterfall.py) in Buildbot 0.7.6 through 0.7.11p1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
buildbotPyPI	>= 0.7.6, < 0.7.11p3	0.7.11p3

Affected products

Buildbot/Buildbot8 versions
cpe:2.3:a:buildbot:buildbot:0.7.10:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:buildbot:buildbot:0.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.10p1:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.11p1:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:buildbot:buildbot:0.7.9:*:*:*:*:*:*:*

Patches

a08ee48e796a

Fix XSS in waterfall help.

https://github.com/buildbot/buildbotNicolás AlvarezAug 13, 2009via ghsa

commit

1 file changed · +1 −1

buildbot/status/web/waterfall.py+1 −1 modified

@@ -399,7 +399,7 @@ def body(self, request):
                                   '<td><input type="radio" name="reload" '
                                   'value="%s" %s></td> '
                                   '<td>%s</td></tr>\n'
-                                  ) % (value, checked, name)
+                                  ) % (html.escape(value), checked, html.escape(name))
         show_reload_input += '</table>\n'
 
         fields = {"show_events_input": show_events_input,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

buildbot.net/tracnvdPatchWEB
sourceforge.net/mailarchive/message.phpnvdPatchWEB
www.securityfocus.com/bid/36100nvdPatch
www.vupen.com/english/advisories/2009/2352nvdPatchVendor Advisory
www.redhat.com/archives/fedora-package-announce/2009-August/msg00978.htmlnvdPatchWEB
www.redhat.com/archives/fedora-package-announce/2009-August/msg00985.htmlnvdPatchWEB
secunia.com/advisories/36352nvdVendor Advisory
secunia.com/advisories/36418nvdVendor Advisory
github.com/advisories/GHSA-jqqh-999x-w26wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2009-2959ghsaADVISORY
github.com/buildbot/buildbot/commit/a08ee48e796ae66c54fca6a087b4adce7d1d6c06ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/buildbot/PYSEC-2009-1.yamlghsaWEB
web.archive.org/web/20101118080215/http://www.vupen.com/english/advisories/2009/2352ghsaWEB
web.archive.org/web/20111225112636/http://secunia.com/advisories/36352ghsaWEB
web.archive.org/web/20111225123121/http://secunia.com/advisories/36418ghsaWEB
web.archive.org/web/20200228175025/http://www.securityfocus.com/bid/36100ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000