oss-sec mailing list archives
Re: CVE Request: Request Tracker: cross-site scripting in cryptography interface
From: cve-assign () mitre org
Date: Tue, 18 Aug 2015 01:57:36 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Could you please assign a CVE for the second cross-site scripting issue mentioned in http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.htmlRT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack via the cryptography interface. This vulnerability could allow an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected.Fixed by: https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4 According to Shawn M. Moore (Cc'ed) for this second issue there was not requested a CVE.
Escape message crypt status as we insert it into the DOM
The ->{'Value'} part of each message is inserted into the DOM with no escaping (to accommodate MakeClicky and callbacks using HTML). Values RT receives from other systems must be escaped or they leave us vulnerable to an XSS injection attack.
Use CVE-2015-6506. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJV0siQAAoJEKllVAevmvmsVZsIAIs5LowTk+7CE+Yenbu8LpB7 +t4iA5AEbUNm5IvTO4DUDzbfMoYCRC1q8NFESf1yNNpGp5xZfxMPO5SMOP6IYOEW LIl5jQYTvInesIL+vLlceUY2Y85aiGEOWSite8iKTkHLL/PnYBPsSva+uhVkbd51 JKqA1VFmlA4Y7gML+bhn8sJwB5q6XhI55IjvW6oxzypGtQf96odMgvmluqg7oF8R f/y5KsWl4GZbHgyOhQt6FMy/SFYMPaZfDeDd5XVaWgBRO2NyOVfCKrnYmxrCO0Z+ Sfdncx7S4bvaUvKLcLRgO813qrBNaKW87qwwMQ5eZ8WqtTz+dCE8U7M6Q6PYNg4= =3olU -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Request Tracker: cross-site scripting in cryptography interface Salvatore Bonaccorso (Aug 13)
- Re: CVE Request: Request Tracker: cross-site scripting in cryptography interface cve-assign (Aug 17)