Bug 954573 (CVE-2015-8105) - VUL-0: CVE-2015-8105: Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcubewebmail before 1.0.7 and ...
Summary: VUL-0: CVE-2015-8105: Cross-site scripting (XSS) vulnerability in program/js/...
Status: RESOLVED FIXED
Alias: CVE-2015-8105
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Wolfgang Rosenauer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/158714/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-11 08:46 UTC by Sebastian Krahmer
Modified: 2015-11-12 12:10 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2015-11-11 08:46:57 UTC 
CVE-2015-8105

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube
webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to
inject arbitrary web script or HTML via the file name in a drag-n-drop file
upload.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8105
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8105.html
http://trac.roundcube.net/changeset/dd7db2179/github
http://trac.roundcube.net/ticket/1490530
http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html
Comment 2 Wolfgang Rosenauer 2015-11-11 08:51:39 UTC 
This has been released, right? Is there any other action required?
Comment 3 Swamp Workflow Management 2015-11-11 23:00:14 UTC 
bugbot adjusting priority
Comment 4 Aeneas Jaißle 2015-11-11 23:07:02 UTC 
There should no action be required, maybe Sebastian can confirm.
1.0.7 is released for 13.1 and 13.2, and 1.1.3 for Tumbleweed and Leap 42.1.
Comment 5 Andreas Stieger 2015-11-12 12:09:22 UTC 
We had some SUSE internal review running, I missed update the information.

Nothing to be done for openSUSE.