Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 20:24:58 +0200
From: chbi@...i.eu
To: oss-security@...ts.openwall.com
Subject: Stored XSS vulnerability in eGroupware Community Edition <=
 16.1.20170703

Hi,

there is a security issue in eGroupware Community Edition <=
16.1.20170703 (https://github.com/EGroupware/egroupware)


Stored XSS vulnerability allows an unauthenticated remote attacker to
inject JavaScript via Browser User-Agent which is triggered by the
application administrator.

Fix:
https://github.com/EGroupware/egroupware/commit/0ececf8c78f1c3f9ba15465f53a682dd7d89529f


The issue is fixed in eGroupware Community Edition 16.1.20170922.


Until now vendor has not marked the new version as security update and
also not mentioned the security issue.
(https://github.com/EGroupware/egroupware/releases/tag/16.1.20170922)


I've requested a CVE ID (MITRE) but I have not received any yet.


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ