Date: Thu, 26 Feb 2015 10:38:20 -0700 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "tseaver@...ladion.com >> Tres Seaver" <tseaver@...ladion.com>, matt@...thewwilkes.name, nathan@...gheem.us, Assign a CVE Identifier <cve-assign@...re.org> Subject: XSS In Zope So originally Radek Steoger of Red Hat found an XSS in luci/conga: ========== Within luci's use of Products.PluggableAuthService there appears to be an XSS, e.g.: https://luci.example.com:8084/acl_users/users/manage_updatePasswordForm?manage_tabs_message=%3Cscript%3Ealert('1234')%3C/script%3E ========== this was tracked down to being in Products.PluggableAuthService (a component of Zope). I notified the Zope security people, they tracked it down on their end, this was actually found/fixed in 2009: https://bugs.launchpad.net/zope2/+bug/490514 https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d and the fix was forward ported from the 2.10 branch, as well as to the 2.11 branch and the trunk. The fix landed in: Zope 2.10.10 Zope 2.11.5 Zope 2.12.2 With thanks to Tres, Matt and Nathan for sorting this out/chasing it down on Zope's end (basically they did all the heavy lifting). So this should probably get a CVE from 2009. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ