CVE-2010-1459 — Mono ASP.NET View State Cross-Site Scripting (XSS) vulnerability

Description

The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project.

How to fix CVE-2010-1459

To remediate CVE-2010-1459, upgrade the affected package to a fixed version below.

Debian/mono—upgrade to 2.4.4~svn151842-3 or later
NuGet/mono—upgrade to 2.6.4 or later

Is CVE-2010-1459 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.4.4~svn151842-3
from 0, < 2.6.4

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-1459
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2010-1459
PATCHgithub.com/mono/mono
WEBlists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
WEB