From dev-return-16573-archive-asf-public=cust-asf.ponee.io@syncope.apache.org Tue Nov 6 10:04:02 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 2A77A180658 for ; Tue, 6 Nov 2018 10:04:02 +0100 (CET) Received: (qmail 45014 invoked by uid 500); 6 Nov 2018 09:04:00 -0000 Mailing-List: contact dev-help@syncope.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@syncope.apache.org Delivered-To: mailing list dev@syncope.apache.org Received: (qmail 44975 invoked by uid 99); 6 Nov 2018 09:04:00 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Nov 2018 09:04:00 +0000 Received: from [192.168.0.3] (smtp.tirasa.net [93.34.9.207]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 426F51727; Tue, 6 Nov 2018 09:03:58 +0000 (UTC) From: =?UTF-8?Q?Francesco_Chicchiricc=c3=b2?= Subject: [SECURITY] CVE-2018-17184 Apache Syncope Reply-To: user@syncope.apache.org To: dev@syncope.apache.org, "user@syncope.apache.org" , announce@apache.org, Joan Bono , oss-security@lists.openwall.com, "security@apache.org" Openpgp: preference=signencrypt Autocrypt: addr=ilgrosso@apache.org; prefer-encrypt=mutual; keydata= xsBNBE9EncsBCAC02uAixULU/lI6u7y2a4hPLZ+J9eb1ZNVrg4iockEktP39C8zsve4rxltc 9SnT5wa2XwVTwiSl8HjxFGmc/CyMP4l+JLYLqAxvN25BXzoC7pvIpH5VcXMnTKP2bqIcIQ3H bR2gLxjxlEzRBgmzsnrtNWhlCi4DNuUcarMrzaWbQkW5DiieW/V7BNEKw7L/WESXWbXTC9zj vyf9JQ/Ql3ys7n7y+/C7nnnnRys9kJahJkYbiLasJTxRMm/ENjzwamE1s2khxNDhYXmeXyUf PYDv46rVP39TNNbecG9EuHbZZ1pRRSkGZJZnpWBu0O6VWOfn0aF2rR5mfbGHsQA8CQWlABEB AAHNOEZyYW5jZXNjbyBDaGljY2hpcmljY8OyIChpbGdyb3NzbykgPGlsZ3Jvc3NvQGFwYWNo ZS5vcmc+wsB4BBMBAgAiBQJPRJ3LAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBr QxPtJz3yh5j3B/46VEpC62uq3wiwDaUYI2fl6DYjlAuSGbI9Q7Avxpz+yDieaPE7Q3C19Xx+ wTFrHyPOswbltmT5KDNqEpe5C9IpqoSyu7UIkqHtlXTxhsu+rFWpfABnI4sfQ0ui1VOLN3JB xG7G8PHCmIdYThSCRoM14u4KSU1ytd3SFtOpNLVU5TVBGm+aJWOu++XPSICn97101ndn8AJm JDTlHQwqMzpQTejLQnv020SouLq5cB2O6HSuSmSDpctFCdYkYLzHA6p3WzKgVXt9c3CV7Zhf w/XufaqXQQIkr1VLN/l13PlbPPnLluzPO+agDuCsJReFzF2JwxJYBLUIu0T8A+yrfTIzzsBN BE9EncsBCADQrFXb7lIhSSaTIkNnE987DGgLn9QRUEvSa+132lWcZYx+knLehdH0++F/cqUc 2KT17anzbOidGo0rvxwj5s42NV3lOUWIFBM7pUCwN2ef2CM3TVwA+/WrKGRFq/+cwAhSfDoc jtN4+vYd4NbIgzSA7ZuoaT4vKRpBex0fAN2J8tLOzXSbXdsoWRj4pVBnJ0N6WHRlaqLQnQ7o F1E6ZrNREMWasjxRuZ38mlpfbArnqw+lAbHL6T/BsKXOEjASe5iOPN9r95HW6dH1vmef1mOk /Pu6wr+eIcqwPIBUQRvHw5UnOrMugUf1ohgnx2NvggLOSlvgGBnZo47MphpOd5DVABEBAAHC wF8EGAECAAkFAk9EncsCGwwACgkQa0MT7Sc98oeFHggAro4b3tGyKCV7tMz8q9drqigl/6n+ /2riaumndUcPFZOsewDmg/75jszjc6hoe7wreBkJi0u8kvm6F0RpIlGk5WpCa7bljEc6Erm9 GLON/DoYn1MSpdMZdwucairqvMK1YWg/7wI/xjgq6br5FBoLegVE8bd3Iy4SVWKUIRURBF7q Ft3rVRUJdcmqHvCWpxDJ1VKPRDHf5szVkWXFJI0xiU6KuICWidZ9Hg3WXUsm3SePD7FtokiK 0Y9SBzHpd9EZe8KRIHekl5gVS2Xe83GC5GvPHEXE0usYUNRDArOXqIkGUCWHZ7gzueMBcWqW x+uxeS7bQfZZO/7ew7lIDf4gYA== Message-ID: Date: Tue, 6 Nov 2018 10:03:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="QClKujLtOvGz6jJ9czoeeaEbMumTcpuPg" --QClKujLtOvGz6jJ9czoeeaEbMumTcpuPg Content-Type: multipart/mixed; boundary="7GDQ26r8oD69TDAxslOgjBWOCOKDVPUeY"; protected-headers="v1" From: =?UTF-8?Q?Francesco_Chicchiricc=c3=b2?= Reply-To: user@syncope.apache.org To: dev@syncope.apache.org, "user@syncope.apache.org" , announce@apache.org, Joan Bono , oss-security@lists.openwall.com, "security@apache.org" Message-ID: Subject: [SECURITY] CVE-2018-17184 Apache Syncope --7GDQ26r8oD69TDAxslOgjBWOCOKDVPUeY Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US CVE-2018-17184: Stored XSS Description: A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed. Severity: Important Vendor: The Apache Software Foundation Affects: Releases prior to 2.1.2 Releases prior to 2.0.11 Solution: 2.0.X users should upgrade to 2.0.11 2.1.X users should upgrade to 2.1.2 Credit: This issue was discovered by =EF=BB=BFKevin Borras Soler. References: https://syncope.apache.org/security --7GDQ26r8oD69TDAxslOgjBWOCOKDVPUeY-- --QClKujLtOvGz6jJ9czoeeaEbMumTcpuPg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEb2K9BvzoTXdCSE68a0MT7Sc98ocFAlvhWPwACgkQa0MT7Sc9 8ocS4wf/S2Nhe02KaD9nLgjyHAspFMbxBtupl/D3owVrMwuXL4MPdh/SvjQTVweu 6mEKGklrClHs0zR6j0nRucXT3IYRFqLwQcYSsBw4OQD7g8oeBTQDR1QjPNa2nB+v xUiqFLBO6uqEOYA+uylp76Ki/ReM8Kmid1c6lZD9aHw+oQJJxZQ0qbzmAK7a2SrI 11zFbYEGC5KrzSdDGVi9LYu1NcKpzZZF7x7p6bpW3RPGHSoVvgjUk96+meW+4Cp+ qBI/1dQ0rhrIyhrgHiVDecB1HZb5VPmW1i9pPT+fLRaNa5EYhKOrH6Pyei2nnKtZ LFY6KmvBEH+zY88V1dCpk4CVAX0B7A== =TK1d -----END PGP SIGNATURE----- --QClKujLtOvGz6jJ9czoeeaEbMumTcpuPg--