lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 Mar 2020 14:20:30 +0100
From: Vladimir Bostanov <>
To: <>
Subject: [FD] [SYSS-2019-046] Micro Focus Vibe - HTML Injection

Hash: SHA512

Advisory ID: SYSS-2019-046
Product: Micro Focus Vibe (formerly Novelle Vibe)
Manufacturer: Micro Focus International plc
Affected Version(s): 4.0.6
Tested Version(s): 4.0.6
Vulnerability Type: HTML Injection (CWE-79)
Risk Level: Low
Solution Status: Fixed
Manufacturer Notification: 2019-11-07
Solution Date: 2020-03-24
Public Disclosure: 2020-03-25
CVE Reference: Not assigned
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH



Micro Focus Vibe is a web-based team collaboration platform that can
serve as a knowledge repository, document management system, project
collaboration hub, process automation machine, corporate intranet or
extranet [1].

The manufacturer describes the product as follows (see [2]):

 "Micro Focus Vibe (formerly Novell Vibe) brings people, projects, and
  processes together in one secure place to enhance team productivity --
  no matter where the team is or what devices they use."

Due to insufficient server-side validation of user input, Vibe is
vulnerable to injection of malicious HTML markup into file titles.
(For a related vulnerability, see our advisory SYSS-2019-047 [3])


Vulnerability Details:

In Vibe, an uploaded file can be assigned a title that is different
from the filename. While HTML markup is not allowed in filenames, it is
partially accepted in file titles. This behavior poses a low to medium
security risk, because it can be exploited by an authenticated attacker
to inject malicious HTML markup into the title of a file uploaded by
the attacker. For instance, the attacker can submit an external link as
a file title, thus changing Vibe's expected behavior upon clicking on
the title -- the malicious external resource will be requested instead
of the internal page of the uploaded file. With a little social
engineering, authenticated victims can be tricked into submitting their
Vibe credentials to the attacker's server, by directing the victim's
browser to a fake Vibe login page and prompting the victim to log in
again, because of an alleged error.


Proof of Concept (PoC):

An authenticated attacker uploads a file with, e.g., the following

  </a><a href="">Meaningful Title

An authenticated victim sees the title "Meaningful Title" on the list of
latest uploads and clicks on it. The victim's browser is directed to the
fake Vibe login page with the URL



Upgrade Vibe to version 4.0.7.


Disclosure Timeline:

2019-10-27: Vulnerability discovered
2019-11-07: Vulnerability reported to manufacturer
2020-03-24: Patch released by manufacturer
2020-03-25: Public disclosure of vulnerability



[1] WikipediA Article on Novelle Vibe

[2] Product website for Micro Focus Vibe

[3] SySS Security Advisory SYSS-2019-047
Stored Cross-Site Scripting (XSS) in Micro Focus Vibe

[4] SySS Security Advisory SYSS-2019-046
HTML Injection in Micro Focus Vibe

[5] SySS Responsible Disclosure Policy



This security vulnerability was found
by Dr. Vladimir Bostanov of SySS GmbH.

Public Key:
Key ID: 0xA589542B
Key Fingerprint: 4989 C59F D54B E926 3A81 E37C A7A9 1848 A589 542B



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as possible.
The latest version of this security advisory is available on the
SySS GmbH web site.



Creative Commons - Attribution (by) - Version 3.0



Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists