oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: XSS in Google Web Toolkit (GWT)

From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 04 Aug 2013 23:47:16 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/04/2013 10:56 PM, David Jorm wrote:

I note that with the release of Google Web Toolkit (GWT) 2.5.1, a
security flaw has been resolved:

http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1
("Security Fixes")

The release notes state: Fixed an XSS vulnerability in html files
used by GWTTestCase (patch). These files will only be included in a
GWT app if it depends on the JUnit module. Despite the fix, this is
not recommended.

The patch is here: 
https://code.google.com/p/google-web-toolkit/source/detail?r=11385

I have reproduced this flaw and can confirm it is reflected XSS. I
have previously contacted security@google asking for CVE IDs for
GWT flaws, but never received a response. Please assign a CVE ID to
this flaw.

Thanks


So according to
http://cve.mitre.org/cve/cna.html
Google is a CVE Numbering Authority but I can't find a CVE in google
(irony?) for this so I guess they missed it. Please use CVE-2013-4204
for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR/zxhAAoJEBYNRVNeJnmTgtEQAJ2gmoFcYw9EXIWtQBLkykBq
7GShyEcaxY43Ecm38TEIMElHxXsiX6QoI16O0AzkMi2N0TsKjxp0Lvf7zfU3fhqI
+juPu2bqKP+yGRJKcb5RoEUr1QGkvS8e4BBTK/572shziiC7j+hvdYYOR3sFvmQw
q8HiLIx/in+MUgB+V9XIOyKk5C8v60C8CQ8EH4oqD8q8YScq/HioaKgrs4GJqCUA
tbnHPuah9WBOyS0RstyDPAsDRXVGl081mPlq0fllHq28sArbZo+gB1ZgDMhvVhbv
AghVzKYt8px3FLi+MVlSTOGeIrTXtpsTWQ66DKxfYfsj1iNh+T3B/fD4H08c4hqX
46rEUBwGKvdNIcg6+DsHvni/6zXBry8qA9x3xwnfUK0xDhZZ8qXN5uXhPqLCM64N
TADtIVy5R0f1pv9SNRUMuKBPs+Pw5kimgnYaM45i1E8ilSxHVX6JKsTukx89DK+0
YK674UeTPVQIelFFG8EnasINjgua2kEEaFWsqMPcLbeFsHZA9AD7GpEC6vilTrQz
w8ApJ90Ti1oU0eZ1oMhpcjkgjQaS/ZIwYAkIZnLq9Xi5/jGu6aB0sum4fPd8Fytt
QDWdJwfTaWq8pNa4M/wwLJGP89EQFunXfGwLd4iloJEHeDSRbmj7H0lRax4DSxeJ
+07h7kydenYwxrVTBUL3
=roNw
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: