lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5687DF93.4010109@apache.org>
Date: Sat, 2 Jan 2016 15:32:51 +0100
From: Stefan Seelmann <seelmann@...che.org>
To: users@...ectory.apache.org, dev@...ectory.apache.org, security@...che.org,
  full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2015-5349: Apache Directory Studio command injection
 vulnerability

CVE-2015-5349: Apache Directory Studio command injection vulnerability

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- Apache LDAP Studio 0.6.0 to 0.8.1
- Apache Directory Studio 1.0.0 to 2.0.0-M9

Description:
The CSV export didn’t escape the fields properly. Malicious users can
put specially crafted values into the LDAP server. When a user exports
that data into CSV formatted file, and subsequently opens it with a
spreadsheet application, the data is interpreted as a formula and executed.

Mitigation:
Users should upgrade to Apache Directory Studio 2.0.0-M10

Credit:
This issue was discovered by Muhammad Shahmeer Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ