| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Jan 2016 15:34:21 -0000 From: graphx@...aint.org To: fulldisclosure@...lists.org Subject: [FD] Eclipse BIRT Viewer <= v4.5.0 Persistent XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 #Title: Eclipse Birt Report Viewer <= v4.5.0 Persistent XSS #Vendor homepage: http://www.eclipse.org #Discovered by: Multiple parties reported to vendor. (first in 2008!) #Vulnerability: Presistent XSS when viewing report containing javascript Description: This vulnerability has been present in the Eclipse BIRT Report Viewer for 8 years at least. It has survived at least two full revisions and the bug tickets notifying the vendor of the issue have not been assigned or moved out of New status. When previewing a generated report, the report viewer fails to sanitize the report data pulled and will execute javascript and other code. This could allow an attacker with access to the database the ability to add persistent malicious code to report data.The vendor has been notified by multiple parties, but there has been no activity on the issue, based on other similar bug tickets on the issue tracker. Please refer to the eclipse bug tracker page tickets below for additional information. This has been an issue since version 2.2.2 at least: https://bugs.eclipse.org/bugs/show_bug.cgi?id=233219 https://bugs.eclipse.org/bugs/show_bug.cgi?id=484952 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWpO6MAAoJEGoTpzhfiAPxmicQAIwlWefTw6cQlx6zPRW9ha/9 3lr4/t2KVXYqassi7Xyd272d3Hwfm0NdUALkm+7yvJnvexBDA69iw/3KIPPEzUgq Z0ykSepgOvTZF/jvvAKvzXuXe266aJuO+hOIrkqMSmWI9C9WVn6vBG8RCcdnBnWl q0MrKnVjv+gkMckjYFhZX85S5n2aW8yRQw27k3HElcbGdnnaTEM/Cv2hJcgbu4YW 3Q6ggPToiAS+lb7i7iciebErDMEFRSxJDFuPP3DE24SMGRxb5n6/XOI4paCQVCcd LmiTL/LiE4je6eKt4Iwr+vac5pWMomntnO3zpsyl6PpWhO/j+lQiZ8gbFGlJLtoG 5vr1LN/Pa5+917D/WUCrpABQQPvEd0sJ78SXGdyKRQf43NTaBtpofrNnZpSdv20n Mkocybru6P+1duqVyHFqr1c92BE/KQpQ0CxwlbVpoxJoCoxj67rt/CqyGrjZleVL ZvWb3saGyZ/HmuAW4n9QTnHDZLVvRH1LTKB3H7PdMJuq67i+cUgfEerQ6+k8D1lE Q0giM+4iQvpxLhUgUrdJkUXUKbWx94XIpCd+5mmim8Hsst8fL8CTNKGc1TOMnStj bn3uzRgL2w3r3e44PZZQS/iL9xMAgx9ZUD3dMYsP47NMldC/48RBBjwSaawYlHs8 qmR+wETxu3ZVv7EdcRnS =g8e+ -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists