Re: CVE Request: LDAP Account Manager XSS in login.php

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2013 03:16 PM, Salvatore Bonaccorso wrote:
> Hi Kurt,
>
> Eric Sesterhenn discovered a XSS vulnerability in login.php of LDAP
> Account Manager and reported this to the Debian BTS[1]. It requires
> to send malicious data via POST.
>
> [1] http://bugs.debian.org/726976
>
> Upstream Bugreport:
>
> [2] http://sourceforge.net/p/lam/bugs/156/
>
> Upstream also has already commited fixes to the VCS:
>
> [3] http://sourceforge.net/p/lam/code/5074/ [4]
> http://sourceforge.net/p/lam/code/5075/
>
> Could you please assign a CVE for this issue?
>
> Regards, Salvatore

Thanks, please use CVE-2013-4453 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSZhENAAoJEBYNRVNeJnmTbEMP/imXMXt9yFjHSh42fMNDjx2g
1lrVFPC6VoZiJ63qhTy/DYf3vO2sgXOXQn5r5NypnBN+Oyq40dtX56wbV+hULioa
7W7JlXpcJLrjXxQi/dGF46XR3KZL0kpW2lUgJ+jfLKOqa5Do0LfzHtcRRnxI/CIs
p4hzBqRhJ1laAGkCAYwoitloAnmRFHyoGnRomgkWS4xSHI7DT5k3m8X28R9rBxJ1
CCpfhtVqVhrjpY/IzJ8rzwob9voTOgDPZVsVfI5sB0qOkwKWxgGzBs/jHrG1nBQD
ucONhql0zNF6n3Z720RcI60jNqcdNBsxyF54CBj5ZHIjicB36AXJxg9r1eSxrg2w
pqdI3AhI5TN9f/y0USkOsJnUK4wkYhqugHRyIEapVd0/D5g8r2wUjkxNSvQueLtt
6VAousV8sPP0UngytOrppgKuSyWjIsvQmo9bOFRScbAQ6IF8c6VMBF+YXkw1d+Vg
/K9hkqBloStlWHIiwm/gb8dWRq3OLYna3vQobjKDAqfPgiw9BEFZvfbUgB/fcTY0
QZhVv7C8TaGodz3zkFEMHhAZRK5klMrXTM9i/kK0DgC+Gtgbj+K3ihwsDvS5F0F6
Zxevrxk+1jgy9KIGK89wQG6tinwD4JHJ5JR6LGSYELbqKoE8Ww3upkjSvCC7nysu
tABNBx4fgPoMxJSpn5Yd
=R3A8
-----END PGP SIGNATURE-----