oss-sec mailing list archives
Stored XSS vulnerability in eGroupware Community Edition <= 16.1.20170703
From: chbi () chbi eu
Date: Thu, 28 Sep 2017 20:24:58 +0200
Hi, there is a security issue in eGroupware Community Edition <= 16.1.20170703 (https://github.com/EGroupware/egroupware) Stored XSS vulnerability allows an unauthenticated remote attacker to inject JavaScript via Browser User-Agent which is triggered by the application administrator. Fix: https://github.com/EGroupware/egroupware/commit/0ececf8c78f1c3f9ba15465f53a682dd7d89529f The issue is fixed in eGroupware Community Edition 16.1.20170922. Until now vendor has not marked the new version as security update and also not mentioned the security issue. (https://github.com/EGroupware/egroupware/releases/tag/16.1.20170922) I've requested a CVE ID (MITRE) but I have not received any yet. -- chbi https://chbi.eu GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E https://chbi.eu/chbi.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Stored XSS vulnerability in eGroupware Community Edition <= 16.1.20170703 chbi (Sep 28)