Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 7 Feb 2014 20:37:00 -0500 (EST)
From: cve-assign@...re.org
To: deviant.beta@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Dokeos 2.1.1 Multiple Stored XSS Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I have discovered several Stored XSS vulnerabilities in Dokeos ...
> Version 2.1.1.
> 
> *Path:* /dokeos-2.1.1/main/auth/profile.php
> 
> *Issue detail:*
> The problem is script does not sanitise the following parameters, "Phone"
> "Street" "Address line" "Zip code" "City"
> 
> 
> *Path:* /dokeos-2.1.1/main/social/groups.php?id=1
> 
> *Issue detail:*
> The problem is that if attacker were to enter the following XSS vector as
> the "Subject Topic".
> 
> 
> *Path:* /dokeos-2.1.1/main/messages/view_message.php?id=6&f=social
> 
> The problem is similar to issue #2 if attacker were to enter the following
> XSS vector in the Message itself.
> 
> 2014-01-15 - Third Vendor Notification (no reply).
> Please see the full report at http://www.xchg.info/?p=381

Use CVE-2014-1877.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS9YlaAAoJEKllVAevmvms7vAIAMFBjcin6+PpSaEPEtCPZ9Pg
YzJaLhwkLs8p84agFepywNokm1zbQXxAgQcI5vrljXBb6SOMlatCINxCLWg1M7ml
ndMKgiLoZF3m4a/S54VxGLIdnG3+JBu6kAfJKhTWU6eHYAtDCHKIKLFpkx8ESvl2
ksJaBN2kaTI5iT0FnmThc23GarhNuL5GTSf0kk+9HQw87eDarJzEfO9n4/4t7gLO
QouDv+JzBeohq1VaHa97d0nLgq1y/4SResQsltlUkE0zj6K0ILflKCKl5/OF5MUl
x9nj1ocHe9uc2XD/kcSr+PjcWXKmJUhx3FloUoPdZA8q7WhxP+aibLSLUkczD5o=
=6Mg2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ