Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Aug 2013 14:18:49 -0400 (EDT)
Subject: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws

Hash: SHA1


As far as we can tell from the history, the addressbook
group vulnerability was discovered by dennis1993 and affects only
version 1.0-git (not version 0.9.2). There is no direct statement that
the addressbook group vulnerability was fixed. It seems likely that
the addressbook group vulnerability could cross privilege boundaries
if the "click on this group after creation" action were performed by
an administrator who was visiting the addressbook of an unprivileged

The other issues were discovered by und3r and affect version 0.9.2. At
least one of these issues (JavaScript code in the signature) also
affects version 1.0-git. There seems to be a dispute about whether
this signature issue crosses privilege boundaries. Apparently a user
can use the signature issue to attack himself, but there is no
discussion of whether an administrator can visit the "identity
configuration page" of an unprivileged user, and thereby become a
victim of the XSS attack. The signature issue might be interpreted as
a CVE-2012-4668 regression. Also, there is some indication that all of
the issues discovered by und3r might have a root cause of 'This kind
of problem is present in all parts where there is the "MCE" editor
(or, more specifically, where there is a <textarea> with the CSS class

Thus, so far, it seems that we should have one CVE for the addressbook
group vulnerability, and one CVE for all of the vulnerabilities
discovered by und3r. If anyone has established that the
vulnerabilities discovered by und3r don't all have the same affected
versions, please let us know. Also, if anyone thinks that the
vulnerabilities discovered by und3r were actually the responsibility
of a third-party product (such as TinyMCE), please mention that as

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.