|
|
|||
| Rule General Information |
|---|
| Release Date: | 2019-08-15 | |
| Rule Name: | GONICUS GOsa WebUI Change Password Form Reflected Cross-Site Scripting Vulnerability (CVE-2018-1000528) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001. | |
| Impact: | An attacker can conduct a cross-site scripting attack to inject malicious client-side scripts into web pages viewed by other users, or to bypass access controls such as the same-origin policy, if affected version is installed. | |
| Affected OS: | Windows, Others | |
| Reference: | https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001 https://github.com/gosa-project/gosa-core/issues/14 https://lists.debian.org/debian-lts-announce/2018/07/msg00028.html https://www.debian.org/security/2018/dsa-4239 |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://github.com/Froxlor/Froxlor/commit/c1e62e6be719affc003774a639de5c952ffd8ffc |