oss-sec mailing list archives
Re: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 27 Aug 2013 17:41:31 -0600
* [2013-08-23 14:18:49 -0400] cve-assign () mitre org wrote:
[2] http://trac.roundcube.net/ticket/1489251As far as we can tell from the http://trac.roundcube.net/ticket/1489251 history, the addressbook group vulnerability was discovered by dennis1993 and affects only version 1.0-git (not version 0.9.2). There is no direct statement that the addressbook group vulnerability was fixed. It seems likely that the addressbook group vulnerability could cross privilege boundaries if the "click on this group after creation" action were performed by an administrator who was visiting the addressbook of an unprivileged user. The other issues were discovered by und3r and affect version 0.9.2. At least one of these issues (JavaScript code in the signature) also affects version 1.0-git. There seems to be a dispute about whether this signature issue crosses privilege boundaries. Apparently a user can use the signature issue to attack himself, but there is no discussion of whether an administrator can visit the "identity configuration page" of an unprivileged user, and thereby become a victim of the XSS attack. The signature issue might be interpreted as a CVE-2012-4668 regression. Also, there is some indication that all of the issues discovered by und3r might have a root cause of 'This kind of problem is present in all parts where there is the "MCE" editor (or, more specifically, where there is a <textarea> with the CSS class "mce_editor").' Thus, so far, it seems that we should have one CVE for the addressbook group vulnerability, and one CVE for all of the vulnerabilities discovered by und3r. If anyone has established that the vulnerabilities discovered by und3r don't all have the same affected versions, please let us know. Also, if anyone thinks that the vulnerabilities discovered by und3r were actually the responsibility of a third-party product (such as TinyMCE), please mention that as well.
I didn't go digging that deep into it, but what you're saying makes sense and still leaves us with a request for two CVEs. Would you be able to assign them? I didn't see the actual assignment made in your reply. Thanks. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: roundcube 0.9.3 fixes two XSS flaws Vincent Danen (Aug 23)
- Re: CVE request: roundcube 0.9.3 fixes two XSS flaws cve-assign (Aug 23)
- Re: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws Vincent Danen (Aug 27)
- Re: CVE request: roundcube 0.9.3 fixes two XSS flaws cve-assign (Aug 28)
- Re: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws Vincent Danen (Aug 28)
- Re: CVE request: roundcube 0.9.3 fixes two XSS flaws cve-assign (Aug 23)