|
Message-Id: <201308231818.r7NIInVQ025321@linus.mitre.org> Date: Fri, 23 Aug 2013 14:18:49 -0400 (EDT) From: cve-assign@...re.org To: vdanen@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >[2] http://trac.roundcube.net/ticket/1489251 As far as we can tell from the http://trac.roundcube.net/ticket/1489251 history, the addressbook group vulnerability was discovered by dennis1993 and affects only version 1.0-git (not version 0.9.2). There is no direct statement that the addressbook group vulnerability was fixed. It seems likely that the addressbook group vulnerability could cross privilege boundaries if the "click on this group after creation" action were performed by an administrator who was visiting the addressbook of an unprivileged user. The other issues were discovered by und3r and affect version 0.9.2. At least one of these issues (JavaScript code in the signature) also affects version 1.0-git. There seems to be a dispute about whether this signature issue crosses privilege boundaries. Apparently a user can use the signature issue to attack himself, but there is no discussion of whether an administrator can visit the "identity configuration page" of an unprivileged user, and thereby become a victim of the XSS attack. The signature issue might be interpreted as a CVE-2012-4668 regression. Also, there is some indication that all of the issues discovered by und3r might have a root cause of 'This kind of problem is present in all parts where there is the "MCE" editor (or, more specifically, where there is a <textarea> with the CSS class "mce_editor").' Thus, so far, it seems that we should have one CVE for the addressbook group vulnerability, and one CVE for all of the vulnerabilities discovered by und3r. If anyone has established that the vulnerabilities discovered by und3r don't all have the same affected versions, please let us know. Also, if anyone thinks that the vulnerabilities discovered by und3r were actually the responsibility of a third-party product (such as TinyMCE), please mention that as well. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSF6bnAAoJEGvefgSNfHMdEt8IALe8rCID8NSMFBtIPAxuofy8 tjDsi1fk19FSrjSxYCP1fsE68a1XMU0EWARdepYRHZuJboj1cBq1Z64cbiOPh+zw s9VZPzlTwBPbrjbMZDz/9JhSNMCg6u5WX/HCAn5NlpiZizjZLsCE3Cx7eDq35kFK os03AW2wdHz4/VPJGXhd2WEUWi07yaJgP6KyeaQiQBah4eYJnm7ENoDrnnJ8Wc43 7+UaHAPQAKIgLJRLimKbRHHLMXmQnOj0D8Yek926lG617yfL2tuuVlHpxN2kyLbW 5CvewSdEM7PJ0Qu/I1PwwsqjqfI871y38zvqUtZmVUxRFlSx6IytsQRHKuIV3qE= =WaFU -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.