diff options
Diffstat (limited to 'old/contacts/nc-sa-2018-005.json')
-rw-r--r-- | old/contacts/nc-sa-2018-005.json | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/old/contacts/nc-sa-2018-005.json b/old/contacts/nc-sa-2018-005.json new file mode 100644 index 0000000..74f9a05 --- /dev/null +++ b/old/contacts/nc-sa-2018-005.json @@ -0,0 +1,29 @@ +{ + "Title": "Stored XSS in contacts via group shares", + "Timestamp": 1529582400, + "Risk": 1, + "CVSS3": { + "score": 3.5, + "vector": "AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "Affected":[ + { + "Version":"2.1.2", + "CVE":"CVE-2018-3764", + "Operator":"<" + } + ], + "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "An anonymous hacker", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the contacts app is upgraded to 2.1.2." +} |