Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 18 Aug 2015 01:57:36 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, dom@...th.li, shawn@...tpractical.com
Subject: Re: CVE Request: Request Tracker: cross-site scripting in cryptography interface

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Could you please assign a CVE for the second cross-site scripting
> issue mentioned in
> http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html
> 
> > RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS)
> > attack via the cryptography interface.  This vulnerability could
> > allow an attacker with a carefully-crafted key to inject JavaScript
> > into RT's user interface. Installations which use neither GnuPG nor
> > S/MIME are unaffected.
> 
> Fixed by:
> https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4
> 
> According to Shawn M. Moore (Cc'ed) for this second issue there was
> not requested a CVE.

>> Escape message crypt status as we insert it into the DOM

>> The ->{'Value'} part of each message is inserted into the DOM with no
>> escaping (to accommodate MakeClicky and callbacks using HTML). Values RT
>> receives from other systems must be escaped or they leave us vulnerable to
>> an XSS injection attack.

Use CVE-2015-6506.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJV0siQAAoJEKllVAevmvmsVZsIAIs5LowTk+7CE+Yenbu8LpB7
+t4iA5AEbUNm5IvTO4DUDzbfMoYCRC1q8NFESf1yNNpGp5xZfxMPO5SMOP6IYOEW
LIl5jQYTvInesIL+vLlceUY2Y85aiGEOWSite8iKTkHLL/PnYBPsSva+uhVkbd51
JKqA1VFmlA4Y7gML+bhn8sJwB5q6XhI55IjvW6oxzypGtQf96odMgvmluqg7oF8R
f/y5KsWl4GZbHgyOhQt6FMy/SFYMPaZfDeDd5XVaWgBRO2NyOVfCKrnYmxrCO0Z+
Sfdncx7S4bvaUvKLcLRgO813qrBNaKW87qwwMQ5eZ8WqtTz+dCE8U7M6Q6PYNg4=
=3olU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.