Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Jan 2015 09:41:00 -0500 (EST)
To: Daniel Strøm <>
Subject: Re: CVE request

> I'd like a CVE for the following security issue:
> And in text:
> Security advisory: XSS vulnerability in login redirect param
> ZfcUser version 1.2.2 has been released and includes a security for this
> vulnerability. Fix has been applied in @baf0e46
> <>
> Affected versions
> All versions below 1.2.2 are affected. dev-master is fixed starting from @
> 2cc167a <>
> Exploits
> Because of missing escaping of the URL param redirect a XSS attack is
> possible.
> For example: Setting the redirect param to "><a%20href="
> "></a><inpu%20type="hidden"%20" would result in a link added to
> the login page.
> Resolution
> If you are using any version of ZfcUser below 1.2.2 please upgrade
> immediately by running composer update.
> Credits
> The vulnerability was discovered and fixed by @GyunerZeki
> <>

Use CVE-2015-1039.


CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ