Synopsis
A vulnerability in sao has been found by Coopengo and solved by Nicolas Évrard.
With issue 9405, the web client does not escape the HTML tags from user data in richtext
widgets. This allows cross-site scripting attacks which can result in session hijacking, persistent phishing attacks, and persistent external redirects to a malicious source.
Impact
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Confidentiality: Low
- Integrity: Low
- Availability: None
Workaround
There is no existing workaround.
Resolution
All affected users should upgrade sao
to the latest version.
Affected versions per series:
- 5.6: <= 5.6.3
- 5.4: <= 5.4.9
- 5.2: <= 5.2.17
- 5.0: <=5.0.25
Non affected versions per series:
- 5.6: >= 5.6.4
- 5.4: >= 5.4.10
- 5.2: >= 5.2.18
- 5.0: >= 5.0.26
Reference
Concern?
Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security
.
1 post - 1 participant
from Planet Python
via read more
No comments:
Post a Comment