oss-sec mailing list archives
Re: Zenoss Open Source monitoring System - Open Redirect & Stored XSS Vulnerabilities
From: cve-assign () mitre org
Date: Wed, 14 May 2014 23:56:26 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
A persistent XSS vulnerability was found in Zenoss core, by creating a malicious host with [[XSS] in the title]
As far as we call tell, this crosses privilege boundaries. Chapter 11 of the Zenoss Core Administration documentation suggests that there can be multiple accounts with different privileges. The wtmdsz24evo video shows the attack taking place in the context of the "dolev" user account. Use CVE-2014-3738.
Open Redirect vulnerability. zport/acl_users/cookieAuthHelper/login_form?came_from=
Use CVE-2014-3739. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTdDqFAAoJEKllVAevmvmsdMMIAIoHp40s8G9FdEfvp4EkFzoG FUcOhPnX96jwKJQb8N7zQtUjzUfZfQJjaNTZjXhCH4xqpADfCSxO8QFVBnJWsbov icI2H72yYas14kIjIBHEZOCtIW/Mq9xuBWFi9h5PVAWzgTCw2/bWwAYrU7MuNz5W HNLq4OPSRMLQYjpHmDWvhW/VQIUpA+uzL46g9yb0qNFcqNQHgRNIASx+G4cwFGBN Ay5M69NEUY8t9r+ybhCGJWGK9Td5XxGrPvFApouta8yMvaujmoX32tUAvwOREerT 9J5WCE6YI/TU5GJMVbt+zE6e1u2qEDUvK2K1vyuWYAtQfp/frfxmVYpYOLfJoU0= =Peud -----END PGP SIGNATURE-----
Current thread:
- Zenoss Open Source monitoring System - Open Redirect & Stored XSS Vulnerabilities Dolev Farhi (May 14)
- Re: Zenoss Open Source monitoring System - Open Redirect & Stored XSS Vulnerabilities cve-assign (May 14)