Security Release for issue9394

ced · June 29, 2020, 4:30pm

Synopsis

A vulnerability in sao has been found by Cédric Krier.

With issue9394, the web client does not escape the HTML tags from user data. This allows cross-site scripting attacks which can result in session hijacking, persistent phishing attacks, and persistent external redirects to a malicious source.

Impact

CVSS v3.0 Base Score: 3.5

Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: Required
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: None

Workaround

There is no existing workaround.

Resolution

All affected users should upgrade sao to the latest version.
Affected versions per series:

5.6: <= 5.6.3
5.4: <= 5.4.9
5.2: <= 5.2.17
5.0: <=5.0.25

Non affected versions per series:

5.6: >= 5.6.4
5.4: >= 5.4.10
5.2: >= 5.2.18
5.0: >= 5.0.26

Reference

issue9394

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

ced · July 29, 2020, 4:30pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Security Release for issue9405 News security	1	1078	July 29, 2020
Security Release for issue9351 News security	0	1652	May 26, 2020
Security Release for issue9453 News security	1	1426	August 9, 2020
Security Release for issue9089 News security	0	1822	March 10, 2020
Security Release for issue7792 News security	1	7111	November 23, 2018