Monday, June 29, 2020

Tryton News: Security Release for issue9405

Synopsis

A vulnerability in sao has been found by Coopengo and solved by Nicolas Évrard.

With issue 9405, the web client does not escape the HTML tags from user data in richtext widgets. This allows cross-site scripting attacks which can result in session hijacking, persistent phishing attacks, and persistent external redirects to a malicious source.

Impact

CVSS v3.0 Base Score: 4.6

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: Low
  • Availability: None

Workaround

There is no existing workaround.

Resolution

All affected users should upgrade sao to the latest version.
Affected versions per series:

  • 5.6: <= 5.6.3
  • 5.4: <= 5.4.9
  • 5.2: <= 5.2.17
  • 5.0: <=5.0.25

Non affected versions per series:

  • 5.6: >= 5.6.4
  • 5.4: >= 5.4.10
  • 5.2: >= 5.2.18
  • 5.0: >= 5.0.26

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

1 post - 1 participant

Read full topic



from Planet Python
via read more
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

TestDriven.io: Working with Static and Media Files in Django

This article looks at how to work with static and media files in a Django project, locally and in production. from Planet Python via read...