ESB-2018.1067 - [Debian] ldap-account-manager: Cross-site scripting - Remote with user interaction 2018-04-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1067
                Two vulnerabilities in LDAP Account Manager
                               10 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ldap-account-manager
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8763  

Reference:         ESB-2018.1000

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/04/msg00007.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : ldap-account-manager
Version        : 3.7-2+deb7u1
CVE ID         : CVE-2018-8763

Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web
front-end for LDAP directories.

CVE-2018-8763

    The found Reflected Cross Site Scripting (XSS) vulnerability might
    allow an attacker to execute JavaScript code in the browser of the
    victim or to redirect her to a malicious website if the victim clicks
    on a specially crafted link.

For Debian 7 "Wheezy", these problems have been fixed in version
3.7-2+deb7u1.

We recommend that you upgrade your ldap-account-manager packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLFwYACgkQKpJZkldk
SvrWuQ//QRn2ZlJjG4WVs5XJNGOGdmjcxh9D41ndUk4kdazI++nRI4tftEkEdkFM
6y6dpOzpJ/RM2h1nSG4yC9NJoTfpRqkeYTPcO035Bmg8QZkqN/RvPOR5G+pqJbRr
S74OpI6cslTW2hEHBZ9g9ZydTxWKZkiAzWCvMdncbyy19zFGVlPZ456DOoykYga+
ILX/6C8uBZ5aTGUSZvRc7Vsz1+iI2ibUK9cHdqHixI7gpeMredahJf6cOabghfMi
XnC4VFXaqpnstVfK7PQEGaR8gcBkD05XIcyyc6kIx0xMnIFjll6oXa+AoPtnXFIH
guhIl3fWSs2rfo+xWF5el63Z0mrzjVqdG0pfeXrPWdY9GlZZyuQz1S+lqoO0NtVs
TNMx3T40WSvqQnQAFRT0w66UwmTfVOSw56J9Y/NjR8X8gjRAD5rRRrSYdzg3x/rc
In4oQGZIdWm0LXjccFtS0vsGrHws8AuHWUIHwA0SuJNCrNoNHsRpS77/+qbQVX9B
Giwl4Ijaa4YwpVMyV694xzC1AOQk18dP7hCylKTMJ5ky/GslREClIFUC6v9KD9w9
0qWE/28YIzrpuFoz19HTVxWqB/GGxaFUS3TK8KIWpEEKhNJIcfLhzBAmbKlMofKs
UGrQ1KmqbYDWOlGPtevkD0LIdfDN7hArvctpxxZuLXoPuR8Lda8=
=YRH1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsxCe4x+lLeg9Ub1AQjlNQ//T7JE8Jp5U8ZO/JcRB8SUtcAtXNlgBSoY
bWvBvzloE2p4aGeYgdaYtlFQtMd6oPJlUlWnVIgrCMbep7UAoEoTASyhqjbCFaQA
ce9bs3zzEOYCK8dmOL6SoYTGFIrYkaen97qnz5y9NCO0FiC61NnUclN+EQRU/Ves
T+WNn6zVGXV+4aMY3lvQnda917Ibo1tYPnm76dx2wRyG+Zg5tGObTAG8TLd9Andr
Zeuo2PrZ0TmQSCcy0HTi+oIsrshANaAu+hN2WGc0tWXCh2/RPkIBDHzfy7rd/ywa
0EjN62iv3Jctke0ZcNsnC6i5C5UF150/0/P763QMlCGBeAqqwu00dCPKLXHFzwKA
BL0qgizzeGFFk7wsBMh5TK8RFBhndnBD3kuUOjpY3YecO59kLrt4xW4PPHnxUSZQ
JNOqr5QrXH0ymqQEHWI+kMTffwm1TIfJKc84yTCx6YHbt3+7JEhlBBRF7AY8klqN
hGaZV1ETrkK4KYe/Xz14mks/E+awn2hDb7OlSTq9c76PbnPM6xJPWvbb1pACiRrr
tllXOBugXaAhNRnF3mAJmza5Ab1xKdTptO8iYYDqFOog48ZRu5VGfiu4SOBR+ngw
5V3ybJ5wTyA7RKsOtCRCASlvavfiSQSKGp7ux3TTaedBi28P54gQNt6KrFN3fFbU
izRv20aoPAs=
=NUfV
-----END PGP SIGNATURE-----

« Back to bulletins