Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 20:17:26 +0200
From: chbi@...i.eu
To: oss-security@...ts.openwall.com
Subject: Stored XSS vulnerability in Tine 2.0 Community Edition <= 2017.08.3

Hi,

there are security issues in Tine 2.0 Community Edition <= 2017.08.3
(https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/)


Stored XSS vulnerability via IMG tag at "History" of Profile, Calendar,
Tasks and CRM allows an authenticated user to inject JavaScript which is
triggered by the application administrator and other users.

Stored XSS vulnerability via IMG tag at "Leadname" of CRM allows an
authenticated user to inject JavaScript which is triggered by the
application administrator and other users.

Stored XSS vulnerability via IMG tag at "Filename" of Filemanager allows
an authenticated user to inject JavaScript which is triggered by the
application administrator and other users.


Fix:
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b


The issues are fixed in Tine Community Edition 2017.08.4.


Until now vendor has not marked the new version as security update and
also not mentioned the security issues.
(https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases/tag/2017.08.4)


I've requested CVE IDs (MITRE), but I have not received any yet.


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ