oss-sec mailing list archives

Re: CVE request: Remote code execution via XSL extensions in SpagoBI

From: cve-assign () mitre org
Date: Thu, 2 Oct 2014 13:08:30 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://www.spagoworld.org/jira/browse/SPAGOBI-1885
1) FEATURE_SECURE_PROCESSING is not set. This means an attacker can
provide an XSL document with embedded Java code, which will be executed
on the server.


Use CVE-2014-7296.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJULYYgAAoJEKllVAevmvmsMRYH/2icsp5j32o0DkGbe1veePbE
5nN/OXV6xjXXjaiP9wi7zDO5f73cp68j9VBHv5EmNprMQIPdYR0h9FEjcC4bkORc
QP01QFEZ0J8Gnkf8MxqyhlUfdVtb3xlEZEf3rfQHF5kWa+MulwJNkvILEiwDAMtQ
T8gg+/2DcXD6pPWVHv5p5PgxfEGIjlB35Un0ZNHgkdgHCTE+pFpUSfxMd4XkPab3
r4WWWXcwtcA5QsXq/038DL1LpP2ddRDBGumka9e5K9d+/7hvf175Jw7k3YrjPWI4
bUKZgVvFuQq5yodc+NhgdoUITeUJKLEN3567e8JgF7yDaJjKGYZZHt51Xjo34wI=
=jKBL
-----END PGP SIGNATURE-----

Current thread:

CVE request: Remote code execution via XSL extensions in SpagoBI David Jorm (Oct 01)
- Re: CVE request: Remote code execution via XSL extensions in SpagoBI Kurt Seifried (Oct 01)
- Re: CVE request: Remote code execution via XSL extensions in SpagoBI cve-assign (Oct 02)