Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201308281659.r7SGxhHq028090@linus.mitre.org>
Date: Wed, 28 Aug 2013 12:59:43 -0400 (EDT)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>[2] http://trac.roundcube.net/ticket/1489251

The first CVE assignment for this is CVE-2013-5645. The scope of this
CVE includes:

  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github

  Fix XSS vulnerability when editing a message "as new" or draft

  "rcmail_wash_html($body, array('safe' => 1), $cid_map);"
  added in compose.inc

The scope of this CVE also includes:

  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github

  Fix XSS vulnerability when saving HTML signatures

  "rcmail_wash_html($save_data['signature']);"
  added in save_identity.inc

to the extent that this can cross privilege boundaries within the
Roundcube webmail product.

All aspects of CVE-2013-5645 were discovered by und3r. These are all
CVE-2013-5645 references:

  http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
  http://trac.roundcube.net/ticket/1489251
  http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
  http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github


The scope of CVE-2013-5645 does not include any additional
exploitation approaches (if any) in Roundcube webmail, or other
products, that are related to:

  'This kind of problem is present in all parts where there is
  the "MCE" editor (or, more specifically, where there is a
  <textarea> with the CSS class "mce_editor").'

That may possibly have other CVE assignments if someone investigates
it at a later time.


Finally, there is a separate CVE assignment of CVE-2013-5646 for this
other issue with different affected versions:

  As far as we can tell from the
  http://trac.roundcube.net/ticket/1489251 history, the
  addressbook group vulnerability was discovered by dennis1993
  and affects only version 1.0-git (not version 0.9.2). There is
  no direct statement that the addressbook group vulnerability
  was fixed. It seems likely that the addressbook group
  vulnerability could cross privilege boundaries if the "click on
  this group after creation" action were performed by an
  administrator who was visiting the addressbook of an
  unprivileged user.

http://trac.roundcube.net/ticket/1489251 is the only CVE-2013-5646
reference that we know of at the moment.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSHif2AAoJEGvefgSNfHMdcrEH/3cAf2Qn9FvArkhmvwGWhPmI
ddWBmTh0aoPNzuOYsNXT6ZMsBEFzRAFpcbCx4Mf32UvKO3tK/BJeQLC+eEk1XuzQ
0+59K2KKM5y/l13qwYP3I02RyvbQEDGzKsh1EsHlKwY2vcoPoHoETYutHPtQ6HEP
v2JgqyCMwaF+NGtqx2hK/eeiR0xBVf339ODHnii296d1KqCpcIAAPyoVGX75YZ3O
djG9lND36wHZ9S+Huy1APi1rx/SZnPxHjaBdtVU2GGAiGpu26zZpstN3HmVbMI+v
8jyYNpJstorjmgZqO/GwFoJ+M47YIwnISiMvCeItAClC2EwKKVRd1RLOZmGkeUM=
=vhpO
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.