CVE-2018-1000528 — Cross-site Scripting in Gosa

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.5%

top 34.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gosa Project Gosa Debian Gosa Debian Linux

Timeline

PublishedJun 26

Latest updateMay 14

Description

GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/gosa< gosa 2.7.4+reloaded3-5 (bookworm)

▶Debiangosa_project/gosa< 2.7.4+reloaded3-5+3

▶Ubuntugosa_project/gosa< 2.7.4+reloaded2-9ubuntu1.1

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fh4v-6j27-m5mf: GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password for↗2022-05-14

▶

OSV

gosa vulnerabilities↗2020-10-28

▶

OSV

CVE-2018-1000528: GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password for↗2018-06-26

▶

📋Vendor Advisories

Ubuntu

GOsa vulnerabilities↗2020-10-28

▶

Debian

CVE-2018-1000528: gosa - GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 cont...↗2018

▶