Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201308231818.r7NIInVQ025321@linus.mitre.org>
Date: Fri, 23 Aug 2013 14:18:49 -0400 (EDT)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>[2] http://trac.roundcube.net/ticket/1489251

As far as we can tell from the
http://trac.roundcube.net/ticket/1489251 history, the addressbook
group vulnerability was discovered by dennis1993 and affects only
version 1.0-git (not version 0.9.2). There is no direct statement that
the addressbook group vulnerability was fixed. It seems likely that
the addressbook group vulnerability could cross privilege boundaries
if the "click on this group after creation" action were performed by
an administrator who was visiting the addressbook of an unprivileged
user.

The other issues were discovered by und3r and affect version 0.9.2. At
least one of these issues (JavaScript code in the signature) also
affects version 1.0-git. There seems to be a dispute about whether
this signature issue crosses privilege boundaries. Apparently a user
can use the signature issue to attack himself, but there is no
discussion of whether an administrator can visit the "identity
configuration page" of an unprivileged user, and thereby become a
victim of the XSS attack. The signature issue might be interpreted as
a CVE-2012-4668 regression. Also, there is some indication that all of
the issues discovered by und3r might have a root cause of 'This kind
of problem is present in all parts where there is the "MCE" editor
(or, more specifically, where there is a <textarea> with the CSS class
"mce_editor").'

Thus, so far, it seems that we should have one CVE for the addressbook
group vulnerability, and one CVE for all of the vulnerabilities
discovered by und3r. If anyone has established that the
vulnerabilities discovered by und3r don't all have the same affected
versions, please let us know. Also, if anyone thinks that the
vulnerabilities discovered by und3r were actually the responsibility
of a third-party product (such as TinyMCE), please mention that as
well.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSF6bnAAoJEGvefgSNfHMdEt8IALe8rCID8NSMFBtIPAxuofy8
tjDsi1fk19FSrjSxYCP1fsE68a1XMU0EWARdepYRHZuJboj1cBq1Z64cbiOPh+zw
s9VZPzlTwBPbrjbMZDz/9JhSNMCg6u5WX/HCAn5NlpiZizjZLsCE3Cx7eDq35kFK
os03AW2wdHz4/VPJGXhd2WEUWi07yaJgP6KyeaQiQBah4eYJnm7ENoDrnnJ8Wc43
7+UaHAPQAKIgLJRLimKbRHHLMXmQnOj0D8Yek926lG617yfL2tuuVlHpxN2kyLbW
5CvewSdEM7PJ0Qu/I1PwwsqjqfI871y38zvqUtZmVUxRFlSx6IytsQRHKuIV3qE=
=WaFU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.