Re: CVE request: eZ Publish XSS

[Kurt Seifried <kseifried () redhat com>]

On 03/28/2012 06:11 AM, Luc ABRIC wrote:
> Hi,
>
> We identified a XSS vulnerability in the eZ Publish application. Here comes some details.
>
> 1) Email address of requester 
> yann.michard () oppida fr, luc.abric () oppida fr & jkn () ez no.
> Yann MICHARD discovered the vulnerability, so all the credits goes to him.
>
> 2) Software name and optionally vendor name
> Vendor: eZ
> Product name: Ez Publish
> Editions: both Enterprise & Community
>
> 3) At least one of (to determine is this a security issue):
>    1. Type of vulnerability
>  OWASP A2: Cross Site Scripting
>  
>    2. Exploitation vectors
>  Access to the vulnerable website (no need for any credentials)
>  
>    3. Attack outcome
>  A browser is enough to execute the attack.
>  
> 4) For Open Source at least one of:
>   1. Link to vulnerable source code or fix
>  Not available yet.
>
>   2. Link to source code change log
>  Not available yet.
>
>   3. Link to security advisory
>  Not available yet.
>
>   4. Link to bug entry
> http://issues.ez.no/19283
>
>   5. Request comes from project member (a.k.a. "trust me, it's a problem")
> Knudsen <jkn () ez no> from Ez can confirm the vulnerability.
>
> 5) Affected version(s) (3.2.4, 3.x, current version, all current releases, something)
> The whole 4.x serie it seems (4.1 to 4.6 from the bug entry).
>
> 6) Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign)
> No, this is our first request relative to this vulnerability.
>
> 7) Is this an Open Source or commercial software request
> Both, the affected software has 2 editions, one open-source, one commercial.
>
> 8) Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to vs-sec?)
> Nope.
>
> 9) IF multiple issues are listed please list affected versions for each issue and/or who reported them (so we can 
> determine CVE split/merge).
> The editor did now publish a Security Advisory yet, but he confirmed the vulnerability.
> The first issue we reported on this application was affected the CVE 2012-1565, but we don't think it should be used 
> for a merge as the 2 issues are distincts.

Please use CVE-2012-1597 for this issue.


> Regards,
> Luc ABRIC
> IT Security Expert
>
> 6 avenue du Vieil Etang - Bâtiment B
> 78180 Montigny-le-Bretonneux
> Phone: +33 (0)1 30 14 19 00
> Fax:       +33 (0)1 30 14 19 09
> Mobile: +33 (0)6 26 87 62 14
> luc.abric () oppida fr
>
> www.oppida.fr


-- 
Kurt Seifried Red Hat Security Response Team (SRT)