oss-sec mailing list archives
Re: CVE-request: Roundcube XSS issues
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Fri, 24 Aug 2012 22:29:42 -0400 (EDT)
On Mon, 20 Aug 2012, Kurt Seifried wrote:
2, Issue 2a: Description: Stored XSS in e-mail body. Ticket: http://trac.roundcube.net/ticket/1488613 Upstream patch: [snip] Issue 2b: Self XSS in e-mail body (Signature). Ticket: http://trac.roundcube.net/ticket/1488613 Upstream patch:[snip] Please use CVE-2012-3508 for these two issues (same version, same type of vuln so cve merge).
Further investigation into ticket 1488613 shows that the developer thinks that issue 2b doesn't need a backport to 0.7. This would suggest a SPLIT based on different affected versions.
Plus it's not immediately clear whether this "self XSS" is really an XSS or not - if I can modify my own signature, then I already have the "privileges" on my browser to run script. But, if this "self XSS" is really just reflected XSS, then that's a security issue to worry about. This requires expertise in the Roundcube codebase to answer for sure, though.
So, we should probably SPLIT this CVE. CVE-2012-3508 - Issue 2a - Stored XSS in e-mail body (new) CVE-2012-4668 - Issue 2b - Self XSS in e-mail body (Signature) - Steve
Current thread:
- CVE-request: Roundcube XSS issues Henri Salo (Aug 20)
- Re: CVE-request: Roundcube XSS issues Henri Salo (Aug 20)
- Re: CVE-request: Roundcube XSS issues Hanno Böck (Aug 20)
- Re: CVE-request: Roundcube XSS issues Henri Salo (Aug 20)
- Re: CVE-request: Roundcube XSS issues Hanno Böck (Aug 20)
- Re: CVE-request: Roundcube XSS issues Kurt Seifried (Aug 20)
- Re: CVE-request: Roundcube XSS issues Steven M. Christey (Aug 24)
- Re: CVE-request: Roundcube XSS issues Eygene Ryabinkin (Aug 26)
- Re: CVE-request: Roundcube XSS issues Eygene Ryabinkin (Aug 26)
- Re: CVE-request: Roundcube XSS issues Steven M. Christey (Aug 24)
- Re: CVE-request: Roundcube XSS issues Henri Salo (Aug 20)