Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
References
Link | Resource |
---|---|
http://openwall.com/lists/oss-security/2017/09/28/11 | Mailing List Patch Third Party Advisory |
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786 | Issue Tracking Patch Third Party Advisory |
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b | Issue Tracking Patch Third Party Advisory |
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b | Issue Tracking Patch Third Party Advisory |
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases | Issue Tracking Release Notes Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2017-09-30 01:29
Updated : 2024-02-04 19:29
NVD link : CVE-2017-14922
Mitre link : CVE-2017-14922
CVE.ORG link : CVE-2017-14922
JSON object : View
Products Affected
tine20
- tine_2.0
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')