oss-sec mailing list archives
Re: CVE request
From: Daniel Strøm <ds () eye4web dk>
Date: Sun, 11 Jan 2015 22:09:30 +0000
Thank you very much :) On Sun Jan 11 2015 at 3:41:04 PM <cve-assign () mitre org> wrote:
I'd like a CVE for the following security issue: https://github.com/ZF-Commons/ZfcUser/issues/550 And in text: Security advisory: XSS vulnerability in login redirect param ZfcUser version 1.2.2 has been released and includes a security for this vulnerability. Fix has been applied in @baf0e46 <https://github.com/ZF-Commons/ZfcUser/commit/baf0e460> Affected versions All versions below 1.2.2 are affected. dev-master is fixed starting from@2cc167a <https://github.com/ZF-Commons/ZfcUser/commit/2cc167a> Exploits Because of missing escaping of the URL param redirect a XSS attack is possible. For example: Setting the redirect param to "><a%20href="http://github.com">GitHub.com</a><inpu%20type="hidden"%20" would result in a link addedtothe login page. Resolution If you are using any version of ZfcUser below 1.2.2 please upgrade immediately by running composer update. Credits The vulnerability was discovered and fixed by @GyunerZeki <https://github.com/GyunerZeki>Use CVE-2015-1039. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- Re: CVE Request cve-assign (Jan 03)
- <Possible follow-ups>
- CVE request Daniel Strøm (Jan 08)
- Re: CVE request cve-assign (Jan 11)
- Re: CVE request Daniel Strøm (Jan 11)
- Re: CVE request cve-assign (Jan 11)
- CVE request Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)