Bug 768525 (CVE-2011-4615) - CVE-2011-4615 zabbix: persistent XSS flaws in 1.8.x
Summary: CVE-2011-4615 zabbix: persistent XSS flaws in 1.8.x
Status: CLOSED ERRATA
Alias: CVE-2011-4615
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20111214,repor...
Keywords: Security
Depends On: 768539 768540
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-16 22:13 UTC by Vincent Danen
Modified: 2016-03-04 11:15 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-01-06 19:29:41 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-12-16 22:13:00 UTC
Zabbix 1.8.10rc1 was released [1] to correct persistant cross-site scripting vulnerabilities due to improper sanitization of the gname variable when creating user and host groups [2].

[1] http://www.zabbix.com/rn1.8.10rc1.php
[2] https://support.zabbix.com/browse/ZBX-4015

Comment 1 Vincent Danen 2011-12-16 22:17:57 UTC
CVE requested:

http://www.openwall.com/lists/oss-security/2011/12/16/2

Comment 2 Vincent Danen 2011-12-16 22:47:58 UTC
This was assigned the name CVE-2011-4615:

http://www.openwall.com/lists/oss-security/2011/12/16/3

Comment 3 Vincent Danen 2011-12-16 22:48:56 UTC
Created zabbix tracking bugs for this issue

Affects: fedora-all [bug 768539]
Affects: epel-6 [bug 768540]

Comment 4 Fedora Update System 2012-01-07 22:57:51 UTC
zabbix-1.8.10-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2012-01-07 23:06:21 UTC
zabbix-1.8.10-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2012-01-15 23:28:13 UTC
zabbix-1.8.10-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Volker Fröhlich 2012-07-22 21:57:35 UTC
As far as EPEL 6 and Fedora are concerned, this can be closed, shipping 1.8.14.

Comment 8 Tomas Hoger 2012-07-23 07:37:16 UTC
EPEL5 has zabbix-1.4.7-1.el5.  This bug does not mention if that version is affected or not.  Does it need fixing?

Comment 9 Volker Fröhlich 2014-01-06 19:29:41 UTC
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing.

Users are encouraged to update to zabbix20 or later.


Note You need to log in before you can comment on or make changes to this bug.