oss-sec mailing list archives

Stored XSS vulnerability in eGroupware Community Edition <= 16.1.20170703

From: chbi () chbi eu
Date: Thu, 28 Sep 2017 20:24:58 +0200

Hi,

there is a security issue in eGroupware Community Edition <=
16.1.20170703 (https://github.com/EGroupware/egroupware)


Stored XSS vulnerability allows an unauthenticated remote attacker to
inject JavaScript via Browser User-Agent which is triggered by the
application administrator.

Fix:
https://github.com/EGroupware/egroupware/commit/0ececf8c78f1c3f9ba15465f53a682dd7d89529f


The issue is fixed in eGroupware Community Edition 16.1.20170922.


Until now vendor has not marked the new version as security update and
also not mentioned the security issue.
(https://github.com/EGroupware/egroupware/releases/tag/16.1.20170922)


I've requested a CVE ID (MITRE) but I have not received any yet.


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Stored XSS vulnerability in eGroupware Community Edition <= 16.1.20170703 chbi (Sep 28)
- Re: Stored XSS vulnerability in eGroupware Community Edition <= 16.1.20170703 chbi (Sep 29)