oss-sec mailing list archives

Reflected XSS vulnerability in Shaarli v0.9.1

From: chbi () chbi eu
Date: Sat, 7 Oct 2017 13:14:56 +0200

Hi,

I've discovered a security issue in Shaarli v0.9.1
(https://github.com/shaarli/Shaarli)


A reflected XSS vulnerability in Shaarli v0.9.1 allows an
unauthenticated attacker to inject JavaScript. If the victim is an
administrator, an attacker can (for example) takeover the admin session
or change global settings or add/delete links. It is also possible to
execute JavaScript against unauthenticated users.

Fix:
https://github.com/shaarli/Shaarli/pull/987


The issue is fixed in Shaarli v0.9.2.

https://github.com/shaarli/Shaarli/releases/tag/v0.9.2


I've requested a CVE ID (MITRE).

-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Reflected XSS vulnerability in Shaarli v0.9.1 chbi (Oct 07)
- Re: Reflected XSS vulnerability in Shaarli v0.9.1 chbi (Oct 10)