Title:====== |
Tine v2.0 Maischa - Cross Site Scripting Vulnerability |
Date: |
===== |
2012-01-12 |
References: |
===========http://www.vulnerability-lab.com/get_content.php?id=379 |
VL-ID: |
===== |
379 |
Introduction: |
============= |
Tine 2.0 is an open source project which combines groupware and CRM in |
one consistent interface. Tine 2.0 is web-based |
and optimises collaboration and organisation of groups in a lasting |
manner. Tine 2.0 unites all the advantages of open |
source software with an extraordinarily high level of usability and an |
equally high standard of professional software |
development. This is what makes the difference between Tine 2.0 and |
many other existing groupware solutions. |
Tine 2.0 includes address book, calendar, email, tasks, time tracking |
and CRM. Intelligent functions and links make |
collaboration in Tine 2.0 a true pleasure and include: |
Synchronising mobile telephones, such as iPhone, Android, Nokia |
and Windows Mobile |
VoiP integration |
Flexible assigning of authorisation rights |
Dynamic lists |
Search functions |
History |
PDF export |
(Copy from the Vendor Homepage: http://www.tine20.org/) |
Abstract: |
========= |
Vulnerability-Lab Team Researcher discovered multiple persistent Web |
Vulnerabilities on the Tine v2.0 Content Management System. |
Report-Timeline: |
================ |
2011-12-01: Vendor Notification |
2012-01-12: Public or Non-Public Disclosure |
Status: |
======== |
Published |
Affected Products: |
================== |
MetaWays |
Product: Tine CMS v2.0 |
Exploitation-Technique: |
======================= |
Remote |
Severity: |
========= |
Medium |
Details: |
======== |
Multiple input validation vulnerabilities(persistent) are detected on |
Tine v2.0 Content Management System. Local attackers |
can include (persistent) malicious script code to manipulate specific |
user/admin requests. The vulnerability allows an |
local privileged attacker to manipulate the appliance(application) |
via persistent script code inject. Successful exploitation |
can result in session hijacking or persistent context manipulation on requests. |
Vulnerable Module(s): |
[+] New Contacts - Input & Output |
[+] Lead Name - Input & Output |
Picture(s): |
../1.png |
../2.png |
../3.png |
Risk: |
===== |
The security risk of the persistent software vulnerability is |
estimated as medium(-). |
Credits: |
======== |
Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) |
Disclaimer: |
=========== |
The information provided in this advisory is provided as it is without |
any warranty. Vulnerability-Lab disclaims all warranties, |
either expressed or implied, including the warranties of |
merchantability and capability for a particular purpose. |
Vulnerability- |
Lab or its suppliers are not liable in any case of damage, including |
direct, indirect, incidental, consequential loss of business |
profits or special damages, even if Vulnerability-Lab or its suppliers |
have been advised of the possibility of such damages. Some |
states do not allow the exclusion or limitation of liability for |
consequential or incidental damages so the foregoing limitation |
may not apply. Any modified copy or reproduction, including partially |
usages, of this file requires authorization from Vulnerability- |
Lab. Permission to electronically redistribute this alert in its |
unmodified form is granted. All other rights, including the use of |
other media, are reserved by Vulnerability-Lab or its suppliers.
Tidak ada komentar:
Posting Komentar