oss-sec mailing list archives
Stored XSS vulnerability in Tine 2.0 Community Edition <= 2017.08.3
From: chbi () chbi eu
Date: Thu, 28 Sep 2017 20:17:26 +0200
Hi, there are security issues in Tine 2.0 Community Edition <= 2017.08.3 (https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/) Stored XSS vulnerability via IMG tag at "History" of Profile, Calendar, Tasks and CRM allows an authenticated user to inject JavaScript which is triggered by the application administrator and other users. Stored XSS vulnerability via IMG tag at "Leadname" of CRM allows an authenticated user to inject JavaScript which is triggered by the application administrator and other users. Stored XSS vulnerability via IMG tag at "Filename" of Filemanager allows an authenticated user to inject JavaScript which is triggered by the application administrator and other users. Fix: https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786 https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b The issues are fixed in Tine Community Edition 2017.08.4. Until now vendor has not marked the new version as security update and also not mentioned the security issues. (https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases/tag/2017.08.4) I've requested CVE IDs (MITRE), but I have not received any yet. -- chbi https://chbi.eu GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E https://chbi.eu/chbi.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Stored XSS vulnerability in Tine 2.0 Community Edition <= 2017.08.3 chbi (Sep 28)