1110122 – (CVE-2014-4165) CVE-2014-4165 ntop: cross-site scripting (XSS) flaw in rrdPlugin

Bug 1110122 (CVE-2014-4165) - CVE-2014-4165 ntop: cross-site scripting (XSS) flaw in rrdPlugin

Summary: CVE-2014-4165 ntop: cross-site scripting (XSS) flaw in rrdPlugin

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2014-4165
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1110123 1110124
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-17 06:13 UTC by Murray McAllister
Modified:	2019-09-29 13:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-08 02:33:39 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-06-17 06:13:40 UTC

A cross-site scripting flaw was found in ntop's rrdPlugin plug-in. An attacker could use this flaw to perform cross-site scripting attacks against users of the ntop web interface.

Original report: http://packetstormsecurity.com/files/127043/ntop-xss.txt

The issue seems to be both with content inside the <title> tags, and any trailing content afterwards.

The 5.0.7 version in Fedora 20 is definitely affected. I have not tested the 3.3.9 version in EPEL 5.

Comment 1 Murray McAllister 2014-06-17 06:15:05 UTC

Created ntop tracking bugs for this issue:

Affects: fedora-all [bug 1110123]
Affects: epel-all [bug 1110124]

Comment 3 Product Security DevOps Team 2019-06-08 02:33:39 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.