Re: CVE Request: Request Tracker: cross-site scripting in cryptography interface

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Could you please assign a CVE for the second cross-site scripting
> issue mentioned in
> http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html
>
> > RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS)
> > attack via the cryptography interface.  This vulnerability could
> > allow an attacker with a carefully-crafted key to inject JavaScript
> > into RT's user interface. Installations which use neither GnuPG nor
> > S/MIME are unaffected.
>
> Fixed by:
> https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4
>
> According to Shawn M. Moore (Cc'ed) for this second issue there was
> not requested a CVE.

> > Escape message crypt status as we insert it into the DOM

> > The ->{'Value'} part of each message is inserted into the DOM with no
> > escaping (to accommodate MakeClicky and callbacks using HTML). Values RT
> > receives from other systems must be escaped or they leave us vulnerable to
> > an XSS injection attack.

Use CVE-2015-6506.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJV0siQAAoJEKllVAevmvmsVZsIAIs5LowTk+7CE+Yenbu8LpB7
+t4iA5AEbUNm5IvTO4DUDzbfMoYCRC1q8NFESf1yNNpGp5xZfxMPO5SMOP6IYOEW
LIl5jQYTvInesIL+vLlceUY2Y85aiGEOWSite8iKTkHLL/PnYBPsSva+uhVkbd51
JKqA1VFmlA4Y7gML+bhn8sJwB5q6XhI55IjvW6oxzypGtQf96odMgvmluqg7oF8R
f/y5KsWl4GZbHgyOhQt6FMy/SFYMPaZfDeDd5XVaWgBRO2NyOVfCKrnYmxrCO0Z+
Sfdncx7S4bvaUvKLcLRgO813qrBNaKW87qwwMQ5eZ8WqtTz+dCE8U7M6Q6PYNg4=
=3olU
-----END PGP SIGNATURE-----