Date: Wed, 28 Aug 2013 14:47:52 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Re: CVE request: roundcube 0.9.3 fixes two XSS flaws * [2013-08-28 12:59:43 -0400] cve-assign@...re.org wrote: Perfect. Thank you so much for this. >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >> http://trac.roundcube.net/ticket/1489251 > >The first CVE assignment for this is CVE-2013-5645. The scope of this >CVE includes: > > http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github > > Fix XSS vulnerability when editing a message "as new" or draft > > "rcmail_wash_html($body, array('safe' => 1), $cid_map);" > added in compose.inc > >The scope of this CVE also includes: > > http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github > > Fix XSS vulnerability when saving HTML signatures > > "rcmail_wash_html($save_data['signature']);" > added in save_identity.inc > >to the extent that this can cross privilege boundaries within the >Roundcube webmail product. > >All aspects of CVE-2013-5645 were discovered by und3r. These are all >CVE-2013-5645 references: > > http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3 > http://trac.roundcube.net/ticket/1489251 > http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github > http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github > > >The scope of CVE-2013-5645 does not include any additional >exploitation approaches (if any) in Roundcube webmail, or other >products, that are related to: > > 'This kind of problem is present in all parts where there is > the "MCE" editor (or, more specifically, where there is a > <textarea> with the CSS class "mce_editor").' > >That may possibly have other CVE assignments if someone investigates >it at a later time. > > >Finally, there is a separate CVE assignment of CVE-2013-5646 for this >other issue with different affected versions: > > As far as we can tell from the > http://trac.roundcube.net/ticket/1489251 history, the > addressbook group vulnerability was discovered by dennis1993 > and affects only version 1.0-git (not version 0.9.2). There is > no direct statement that the addressbook group vulnerability > was fixed. It seems likely that the addressbook group > vulnerability could cross privilege boundaries if the "click on > this group after creation" action were performed by an > administrator who was visiting the addressbook of an > unprivileged user. > >http://trac.roundcube.net/ticket/1489251 is the only CVE-2013-5646 >reference that we know of at the moment. > >- -- >CVE assignment team, MITRE CVE Numbering Authority >M/S M300 >202 Burlington Road, Bedford, MA 01730 USA >[ PGP key available through http://cve.mitre.org/cve/request_id.html ] >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.14 (SunOS) > >iQEcBAEBAgAGBQJSHif2AAoJEGvefgSNfHMdcrEH/3cAf2Qn9FvArkhmvwGWhPmI >ddWBmTh0aoPNzuOYsNXT6ZMsBEFzRAFpcbCx4Mf32UvKO3tK/BJeQLC+eEk1XuzQ >0+59K2KKM5y/l13qwYP3I02RyvbQEDGzKsh1EsHlKwY2vcoPoHoETYutHPtQ6HEP >v2JgqyCMwaF+NGtqx2hK/eeiR0xBVf339ODHnii296d1KqCpcIAAPyoVGX75YZ3O >djG9lND36wHZ9S+Huy1APi1rx/SZnPxHjaBdtVU2GGAiGpu26zZpstN3HmVbMI+v >8jyYNpJstorjmgZqO/GwFoJ+M47YIwnISiMvCeItAClC2EwKKVRd1RLOZmGkeUM= >=vhpO >-----END PGP SIGNATURE----- -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.