Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 08 Jan 2015 13:57:43 +0000
From: Daniel Strøm <>
Subject: CVE request


I'd like a CVE for the following security issue:

And in text:
Security advisory: XSS vulnerability in login redirect param

ZfcUser version 1.2.2 has been released and includes a security for this
vulnerability. Fix has been applied in @baf0e46
Affected versions

All versions below 1.2.2 are affected. dev-master is fixed starting from @
2cc167a <>

Because of missing escaping of the URL param redirect a XSS attack is
For example: Setting the redirect param to "><a%20href="
"></a><inpu%20type="hidden"%20" would result in a link added to
the login page.

If you are using any version of ZfcUser below 1.2.2 please upgrade
immediately by running composer update.

The vulnerability was discovered and fixed by @GyunerZeki

Thank you,

Daniel Strøm

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ