oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: XSS in CollectiveAccess 1.3 and earlier

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 04 Nov 2013 13:17:31 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/04/2013 11:32 AM, Daniel Kahn Gillmor wrote:

There was a cross-site scripting (XSS) vulnerability in 
CollectiveAccess, a web-based archive cataloging system written in
PHP.

CollectiveAccess 1.3.1 was released including this fix.

http://www.collectiveaccess.org/news/collectiveaccess-version-1-3-1-released/



The issue was reported at:

http://clangers.collectiveaccess.org/jira/browse/PROV-638

(the PROV-638 ticket may not be accessible to the public)

The changeset fixing it is:

https://github.com/collectiveaccess/providence/commit/b54e01419966c8d8f23db532caad91304c977776



Regards,

--dkg


Please use CVE-2013-4507 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSeADbAAoJEBYNRVNeJnmTURYP/0ZSFU1OC2O5JFkaCRvVhgzF
ypKBkBlPVHQggxnXq77E3HjPjqRBPJtea3zISPwLk0mBFaCPnmGSVSNwicxo2ry7
QR3cxv5QPl8wWni23xNGByoEwI7RqNUTmrhriSP3wWQ3tsFuu9Bio+L3Mjr/OqG7
YuosmpfSv0zTKWBGmhAJzRtyhqmp4INC1uu/omTc2fELrOKaL9lhnpPGJdehZnRB
DqjG9lNpwpLK+7YknTlSwVd6HN4ZNONy0gsEG6Uo19O/l8fSuDn2gcV61Sse92F7
Lc4mVSluWBoforQlE9KrE4PDI6rcXh/32hZAjeXezVa3bweGWg+9A/94aau+cDsF
FRSkoruw094//8+Xg9O2EqoIhuaZBIzFleNp0EdxAxDFOJ51pBvQpJD08H9OHjqJ
rUrdj2HiIItFnpPl178c/YYoewiNDnyCAYp90K5EVRpWnQsoYQMiTJTYQCdwuQXv
eHPcrwLbUEGyIzPUQxrYseslQIWq+Cr/110nYq0QU8iBkxI4bDxkV2QeyuOPbPtn
4TmH5C7Auq7DFEtMaj1BXgd1DeJvaPTj2oEPt0JGgMzEwBo9iBDpD7PFopFcLsv7
oGAHd0+KMr/W/RnhRh6IxuCcGti1zYWbmi3z/t+XSJeTDuqKEdEqAtHY8n+iDCjP
E4IcaBRlRbgotx8407bW
=jRnU
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: