Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4024 to the following vulnerability: Name: CVE-2011-4024 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4024 Assigned: 20111006 Reference: EXPLOIT-DB:18005 Reference: http://www.exploit-db.com/exploits/18005 Reference: http://www.ocsinventory-ng.org/fr/accueil/nouvelles/version-2-0-2-stable.html Reference: http://www.securityfocus.com/bid/50011 Reference: OSVDB:76135 Reference: http://osvdb.org/76135 Reference: SECUNIA:46311 Reference: http://secunia.com/advisories/46311 Reference: XF:ocsinventoryng-unspecified-xss(70406) Reference: http://xforce.iss.net/xforce/xfdb/70406 Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
I'm not sure that this affects Fedora (as we ship 1.3.3). Unfortunately, I am completely unable to find any patch for this and the upstream web site is really unhelpful. Since there is no contact info on the site, I'm currently trying to find someone on IRC who may have further information.
Bug also affects version 1.3.3. As an upgrade to 2.0.2 is not immediately possible (major code changes, bundled libraires, ...) I have wrote a patch, inspired from 2.0.2 fix. I'm waiting for upstream feedback and will push a quick update soon. About this issue, GLPI, when synchronized with OCS, is not affected (data are properly cleaned before insert in the GLPI DB).
This issue affects the versions of the ocsinventory package, as shipped with Fedora release of 14 and 15. -- This issue affects the versions of the ocsinventory package, as shipped within Fedora EPEL 4, Fedora EPEL 5 and Fedora EPEL 6 repositories.
This issue has been scheduled to be corrected in the following updates: 1) ocsinventory-1.3.3-5.fc16, 2) ocsinventory-1.3.3-5.fc15, 3) ocsinventory-1.3.3-5.fc14, 4) ocsinventory-1.3.3-5.el6, 5) ocsinventory-1.3.3-5.el5, 6) ocsinventory-1.3.3-5.el4. The above packages have been pushed to particular -testing repositories, and upon required level of testing they will be pushed to -stable repositories.
Relevant upstream patches for the server code (thanks to Remi Collet for providing those): [1] http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/789 [2] http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/792
ocsinventory-1.3.3-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.3.3-5.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.3.3-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.3.3-5.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.3.3-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
ocsinventory-1.3.3-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.