|
|||
Rule General Information |
---|
Release Date: | 2019-08-15 | |
Rule Name: | GONICUS GOsa WebUI Change Password Form Reflected Cross-Site Scripting Vulnerability (CVE-2018-1000528) | |
Severity: | ||
CVE ID: | ||
Rule Protection Details |
---|
Description: | GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001. | |
Impact: | An attacker can conduct a cross-site scripting attack to inject malicious client-side scripts into web pages viewed by other users, or to bypass access controls such as the same-origin policy, if affected version is installed. | |
Affected OS: | Windows, Others | |
Reference: | https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001 https://github.com/gosa-project/gosa-core/issues/14 https://lists.debian.org/debian-lts-announce/2018/07/msg00028.html https://www.debian.org/security/2018/dsa-4239 |
|
Solutions |
---|
The vendors have released upgrade patches to fix vulnerabilities, please visit: https://github.com/Froxlor/Froxlor/commit/c1e62e6be719affc003774a639de5c952ffd8ffc |