Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 04 Nov 2013 13:17:31 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Seth <seth@...rl-i-gig.com>
Subject: Re: XSS in CollectiveAccess 1.3 and earlier

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/04/2013 11:32 AM, Daniel Kahn Gillmor wrote:
> There was a cross-site scripting (XSS) vulnerability in 
> CollectiveAccess, a web-based archive cataloging system written in
> PHP.
> 
> CollectiveAccess 1.3.1 was released including this fix.
> 
> http://www.collectiveaccess.org/news/collectiveaccess-version-1-3-1-released/
>
> 
> 
> The issue was reported at:
> 
> http://clangers.collectiveaccess.org/jira/browse/PROV-638
> 
> (the PROV-638 ticket may not be accessible to the public)
> 
> The changeset fixing it is:
> 
> https://github.com/collectiveaccess/providence/commit/b54e01419966c8d8f23db532caad91304c977776
>
> 
> 
> Regards,
> 
> --dkg

Please use CVE-2013-4507 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSeADbAAoJEBYNRVNeJnmTURYP/0ZSFU1OC2O5JFkaCRvVhgzF
ypKBkBlPVHQggxnXq77E3HjPjqRBPJtea3zISPwLk0mBFaCPnmGSVSNwicxo2ry7
QR3cxv5QPl8wWni23xNGByoEwI7RqNUTmrhriSP3wWQ3tsFuu9Bio+L3Mjr/OqG7
YuosmpfSv0zTKWBGmhAJzRtyhqmp4INC1uu/omTc2fELrOKaL9lhnpPGJdehZnRB
DqjG9lNpwpLK+7YknTlSwVd6HN4ZNONy0gsEG6Uo19O/l8fSuDn2gcV61Sse92F7
Lc4mVSluWBoforQlE9KrE4PDI6rcXh/32hZAjeXezVa3bweGWg+9A/94aau+cDsF
FRSkoruw094//8+Xg9O2EqoIhuaZBIzFleNp0EdxAxDFOJ51pBvQpJD08H9OHjqJ
rUrdj2HiIItFnpPl178c/YYoewiNDnyCAYp90K5EVRpWnQsoYQMiTJTYQCdwuQXv
eHPcrwLbUEGyIzPUQxrYseslQIWq+Cr/110nYq0QU8iBkxI4bDxkV2QeyuOPbPtn
4TmH5C7Auq7DFEtMaj1BXgd1DeJvaPTj2oEPt0JGgMzEwBo9iBDpD7PFopFcLsv7
oGAHd0+KMr/W/RnhRh6IxuCcGti1zYWbmi3z/t+XSJeTDuqKEdEqAtHY8n+iDCjP
E4IcaBRlRbgotx8407bW
=jRnU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.