Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 28 Sep 2017 20:17:26 +0200
From: chbi@...i.eu
To: oss-security@...ts.openwall.com
Subject: Stored XSS vulnerability in Tine 2.0 Community Edition <= 2017.08.3

Hi,

there are security issues in Tine 2.0 Community Edition <= 2017.08.3
(https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/)


Stored XSS vulnerability via IMG tag at "History" of Profile, Calendar,
Tasks and CRM allows an authenticated user to inject JavaScript which is
triggered by the application administrator and other users.

Stored XSS vulnerability via IMG tag at "Leadname" of CRM allows an
authenticated user to inject JavaScript which is triggered by the
application administrator and other users.

Stored XSS vulnerability via IMG tag at "Filename" of Filemanager allows
an authenticated user to inject JavaScript which is triggered by the
application administrator and other users.


Fix:
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b


The issues are fixed in Tine Community Edition 2017.08.4.


Until now vendor has not marked the new version as security update and
also not mentioned the security issues.
(https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases/tag/2017.08.4)


I've requested CVE IDs (MITRE), but I have not received any yet.


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.