CVE-2011-0728
Description
Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Loggerhead before 1.18.1 allows authenticated users to inject arbitrary code via a filename in revision views.
Vulnerability
Loggerhead before version 1.18.1 contains a cross-site scripting (XSS) vulnerability in the templatefunctions.py file. The revision_link function did not properly escape filenames when rendering revision views, allowing remote authenticated users to inject arbitrary web script or HTML [1][3][4].
Exploitation
An attacker with valid authentication credentials can commit a file with a malicious filename containing JavaScript code. When another user views the revision history page that includes that filename, the unsanitized name is rendered and the script executes in the context of the user's browser [3][4].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and script code in the victim's browser, potentially leading to session theft, credential disclosure, or other actions within the context of the Loggerhead application [1].
Mitigation
The vulnerability is fixed in Loggerhead version 1.18.1, released in March 2011 [3]. Users should upgrade to this version or later. No workarounds are available for earlier versions [3][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loggerheadPyPI | < 1.18.1 | 1.18.1 |
Affected products
6cpe:2.3:a:michael_hudson-doyle:loggerhead:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:michael_hudson-doyle:loggerhead:*:*:*:*:*:*:*:*range: <=1.18
- cpe:2.3:a:michael_hudson-doyle:loggerhead:1.10:*:*:*:*:*:*:*
- cpe:2.3:a:michael_hudson-doyle:loggerhead:1.17:*:*:*:*:*:*:*
- cpe:2.3:a:michael_hudson-doyle:loggerhead:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:michael_hudson-doyle:loggerhead:1.6.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- bugs.launchpad.net/loggerhead/+bug/740142nvdPatchWEB
- launchpad.net/loggerhead/1.18/1.18.1nvdPatchWEB
- secunia.com/advisories/43822nvdVendor Advisory
- github.com/advisories/GHSA-qjmg-77xh-7mjwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-0728ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2011-April/057413.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2011-April/057479.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2011-April/057502.htmlnvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/66305nvdWEB
- web.archive.org/web/20200228162139/http://www.securityfocus.com/bid/47032ghsaWEB
- secunia.com/advisories/44017nvd
- www.osvdb.org/71279nvd
- www.securityfocus.com/bid/47032nvd
- www.vupen.com/english/advisories/2011/0848nvd
- www.vupen.com/english/advisories/2011/0849nvd
News mentions
0No linked articles in our index yet.