Difference between revisions of "SVG:Advisory-SVG-2016-11107"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> This advisory has not been released yet </pre>") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
This | Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' Risk: XSS in DIRAC Webapp and Web portal [EGI-SVG-2016-1107] | ||
Date: 2016-10-21 | |||
Updated: | |||
Affected Software and Risk | |||
========================== | |||
Moderate risk vulnerability concerning XSS in DIRAC Webapp and Web portal | |||
Package : DIRAC Webapp and Web portal | |||
Actions Required/Recommended | |||
============================ | |||
Sites are recommended to update relevant components, if they have not done so since | |||
25th August 2016 when the patched version was made available. | |||
Affected software Details. | |||
========================== | |||
Versions of DIRAC prior to v6r15 are affected. | |||
More information | |||
================ | |||
The reporter of the vulnerability stated that he was able to carry out an exploit, | |||
where an authenticated user could escalate their privilege. | |||
Component installation information | |||
================================== | |||
See [R 1], Information on the XSS vulnerability is at [R 2] | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11107 | |||
Minor updates may be made without re-distribution to the sites | |||
Credit | |||
====== | |||
This vulnerability was reported by Simon Fayer from Imperial College, London. | |||
References | |||
========== | |||
[R 1] https://github.com/DIRACGrid/DIRAC/wiki | |||
[R 2] https://github.com/DIRACGrid/WebAppDIRAC/pull/251 | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of a vulnerability which is relevant to EGI you may | |||
report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-2016-11107] | |||
2016-05-17 Vulnerability reported by Simon Fayer who is a member of SVG. | |||
2016-05-17 Software providers responded and involved in investigation | |||
2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting. | |||
2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2016-08-08 Updated packages available on the DIRAC website | |||
2016-10-18 SVG asked whether it has been fixed, confirmed that it was | |||
2016-10-21 Advisory/Alert sent to sites | |||
2016-10-21 Public disclosure | |||
On behalf of the EGI SVG, | |||
</pre> | </pre> |
Revision as of 10:53, 21 October 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2016-11107
Title: EGI SVG Advisory [TLP:WHITE] 'Moderate' Risk: XSS in DIRAC Webapp and Web portal [EGI-SVG-2016-1107] Date: 2016-10-21 Updated: Affected Software and Risk ========================== Moderate risk vulnerability concerning XSS in DIRAC Webapp and Web portal Package : DIRAC Webapp and Web portal Actions Required/Recommended ============================ Sites are recommended to update relevant components, if they have not done so since 25th August 2016 when the patched version was made available. Affected software Details. ========================== Versions of DIRAC prior to v6r15 are affected. More information ================ The reporter of the vulnerability stated that he was able to carry out an exploit, where an authenticated user could escalate their privilege. Component installation information ================================== See [R 1], Information on the XSS vulnerability is at [R 2] TLP and URL =========== ** WHITE information - Unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-11107 Minor updates may be made without re-distribution to the sites Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London. References ========== [R 1] https://github.com/DIRACGrid/DIRAC/wiki [R 2] https://github.com/DIRACGrid/WebAppDIRAC/pull/251 Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11107] 2016-05-17 Vulnerability reported by Simon Fayer who is a member of SVG. 2016-05-17 Software providers responded and involved in investigation 2016-05-18 EGI SVG Risk Assessment completed - discussed at SVG meeting. 2016-05-19 Assessment by the EGI Software Vulnerability Group reported to the software providers 2016-08-08 Updated packages available on the DIRAC website 2016-10-18 SVG asked whether it has been fixed, confirmed that it was 2016-10-21 Advisory/Alert sent to sites 2016-10-21 Public disclosure On behalf of the EGI SVG,