[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20130806154322.GG39316@USLT-205755.sungardas.corp>
Date: Tue, 6 Aug 2013 11:43:22 -0400
From: Chip Childers <chipchilders@...che.org>
To: security@...che.org, security@...udstack.apache.org,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [CVE-2013-2136] Apache CloudStack Cross-site
scripting (XSS) vulnerabiliity
Product: Apache CloudStack
Vendor: The Apache Software Foundation
Vulnerability Type(s): Cross-site scripting (XSS)
Vulnerable version(s): Apache CloudStack versions 4.0.0-incubating,
4.0.1-incubating, 4.0.2 and 4.1.0
CVE References: CVE-2013-2136
Risk Level: Low
CVSSv2 Base Scores: 4 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Description:
The Apache CloudStack Security Team was notified of an issue found in
the Apache CloudStack user interface that allows an authenticated user
to execute cross-site scripting attack against other users within the
system.
Mitigation:
Updating to Apache CloudStack versions 4.1.1 or higher will mitigate
this vulnerability.
Please see the 4.1.1 release notes for further information about how to
upgrade:
http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.1.1/html/Release_Notes/index.html
References:
https://issues.apache.org/jira/browse/CLOUDSTACK-2936
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists