lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 7 Aug 2013 10:16:56 -0400
From: Chip Childers <chipchilders@...che.org>
To: security@...che.org, security@...udstack.apache.org,
  full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Updated [CVE-2013-2136] Apache CloudStack Cross-site scripting (XSS)
 vulnerabiliity

Issued: August 6, 2013
Updated: August 7, 2013

Product: Apache CloudStack
Vendor: The Apache Software Foundation
Vulnerability Type(s): Cross-site scripting (XSS)
Vulnerable version(s): Apache CloudStack versions 4.0.0-incubating,
                       4.0.1-incubating, 4.0.2 and 4.1.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 4 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Description:
The Apache CloudStack Security Team was notified of an issue found in
the Apache CloudStack user interface that allows an authenticated user
to execute cross-site scripting attack against other users within the
system.

Mitigation:
Updating to Apache CloudStack versions 4.1.1 or higher will mitigate
this vulnerability.

Please see the 4.1.1 release notes for further information about how to
upgrade:

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.1.1/html/Release_Notes/index.html

References:

https://issues.apache.org/jira/browse/CLOUDSTACK-2936

Credit:

This issue was identified by Oleg Boytsev from strongserver.org.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ