Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenConext-EngineBlock 5.7.3 Cross Site Scripting

🗓️ 13 Jul 2018 00:00:00Reported by Andrew KlausType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

OpenConext-EngineBlock 5.7.3 XSS vulnerabilities fixed in version 5.7.4 and 5.8.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		OpenConext-EngineBlock 5.7.3 Cross Site Scripting Vulnerability
13 Jul 201800:00
zdt
CVE		CVE-2018-1000611
9 Jul 201820:00
cve
Cvelist		CVE-2018-1000611
9 Jul 201820:00
cvelist
EUVD		EUVD-2018-1948
7 Oct 202500:30
euvd
NVD		CVE-2018-1000611
9 Jul 201820:29
nvd
Prion		Cross site scripting
9 Jul 201820:29
prion
RedhatCVE		CVE-2018-1000611
22 May 202502:34
redhatcve
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
XSS vulnerabilities were found in multiple pages that allows an attacker to  
inject arbitrary web scripts.  
  
The Twig PHP extension configuration was not sanitizing user input before  
display it to the user.  
  
Issues fixed in version 5.7.4 and 5.8.0. Git commit here:  
https://github.com/OpenConext/OpenConext-engineblock/pull/566  
  
PoC URLs:  
https://engine.example.org/authentication/idp/help-discover?%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E  
https://engine.example.org/authentication/idp/single-sign-on?%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E  
  
CVE assigned: CVE-2018-1000611  
  
Timeline:  
- - - 2018-06-29: Notified SURFnet about the vulnerability  
- - - 2018-07-04: Patch pull request created on Github  
- - - 2018-07-04: CVE Requested  
- - - 2018-07-05: Patch was merged on Github  
- - - 2018-07-12: Announcing on Full Disclosure  
-----BEGIN PGP SIGNATURE-----  
  
iQE9BAEBCgAnIBxBbmRyZXcgS2xhdXMgPGFuZHJld0Bha2xhdXMuY2E+BQJbR6ae  
AAoJEFYqtOvsX+ttmS0H/AorN3q5I3GmVUcjEYhwym1E/VJVFD1vfPQQf/XGtXdu  
O9qPjfVFmuCG1jXItLJmtUEDVU/HI8bLubyvhFzrvGB4tyJ8Y5mMR2GTBvQ3+o4W  
ckgw7wcMGWiVNEjvddgGlALg0W8eC23NoZoi92J5Cg8Ni3+ARvt6j/7sRp4Jn+Kp  
x2h8GeoPSp920QMoTYrehh16W/bRNRz/a9Y63UfNLSqv4DmZsMoa9NzA91T0GexP  
MHpObqbf6arQ5UzFKKF/UUsrQ8aiAL7tKsrhHs+byZZoiuHw/18eLeY82UKN8ocD  
ysrciARYDc53T0slM9wJZ6zy8XHghKjIUV9QmFstNUk=  
=rdVB  
-----END PGP SIGNATURE-----  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jul 2018 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.0024
xss vulnerabilitiestwig php extension configurationuser input sanitizationpatch pull requestcve-2018-1000611githubfull disclosure
35