Trac contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "q" variable upon submission to the search script. This could allow a user to create a specially crafted URL that would allow malicious redirection in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

BID: 30402  

CVE-2008-2951

Nessus: 33271, 33767, 33766  

OSVDB: 46513

SA: 31314

XF: 44043  

Distribution updates: 

Debian

Fedora-2008-6830

Vendor Solutions:

0.10-stable users, upgrade to 0.10.5

Upgrade to 0.11.0 stable from dev versions. See caveats