SVG:Advisory-SVG-2016-11107
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11107
Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' Risk: XSS in DIRAC Webapp and Web portal [EGI-SVG-2016-11107] Date: 2016-10-21 Updated: Affected Software and Risk ========================== Moderate risk vulnerability concerning XSS in DIRAC Webapp and Web portal Package : DIRAC Webapp and Web portal Actions Required/Recommended ============================ Sites are recommended to update relevant components, if they have not done so since 25th August 2016 when the patched version was made available. Affected software Details. ========================== Versions of DIRAC prior to v6r15 are affected. More information ================ The reporter of the vulnerability stated that he was able to carry out an exploit, where an authenticated user could escalate their privilege. Component installation information ================================== See [R 1], Information on the XSS vulnerability is at [R 2] TLP and URL =========== ** WHITE information - Unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11107 Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London. References ========== [R 1] https://github.com/DIRACGrid/DIRAC/wiki [R 2] https://github.com/DIRACGrid/WebAppDIRAC/pull/251 Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11107] 2016-05-17 Vulnerability reported by Simon Fayer who is a member of SVG. 2016-05-17 Software providers responded and involved in investigation 2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting. 2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the software providers 2016-08-08 Updated packages available on the DIRAC website 2016-10-18 SVG asked whether it has been fixed, confirmed that it was 2016-10-21 Advisory/Alert sent to sites 2016-10-21 Public disclosure On behalf of the EGI SVG,