Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflecting XSS vulnerability in administrative backend of Croogo v.2.2.0 #599

Closed
ghost opened this issue Jan 3, 2015 · 8 comments
Closed
Milestone

Comments

@ghost
Copy link

ghost commented Jan 3, 2015

Dear ladies and gentlemen.

Unfortunately, I haven't found a clear section on your webpage where to send security related issues to via mail so I'm using this platform.

I found a reflecting XSS vulnerability in your product Croogo v.2.2.0 residing in the administrative backend which could be abused to trick an administrator to click a crafted link which executes arbitrary HTML- and/or JavaScript-code.

I am releasing an advisory on my blog (without technical details). Please provide me an email address where I can send my informations to, so you can patch this vulnerability. If I don't here anything from you until 17th January 2015, I am releasing the technical details as well.

Thank you.

Steffen Rösemann

@rchavik
Copy link
Member

rchavik commented Jan 4, 2015

Hi Stefan,

Thanks for the report. Please forward the details to security@croogo.org.

@ghost
Copy link
Author

ghost commented Jan 4, 2015

Done! :-)

@rchavik rchavik added this to the 2.2.1 milestone Jan 12, 2015
@rchavik
Copy link
Member

rchavik commented Jan 12, 2015

Closing since 2.2.1 has been released.

Thank you

@rchavik rchavik closed this as completed Jan 12, 2015
@fgeek
Copy link

fgeek commented Jan 15, 2015

Could you add a web page for information how to report security issues in the future, thanks!

@rchavik
Copy link
Member

rchavik commented Jan 16, 2015

Hi,

We've brought back the "Support" menu in croogo.org.

The URL https://croogo.org/security has also been created. It redirects to the same Support page (with direct anchor link #security).

Do you think it will suffice?

@ghost
Copy link
Author

ghost commented Jan 16, 2015

From my point of view, it will suffice as I researched your official webpage for such a hint on how to send reports like mine to you. Now I would know. Do you agree Henri?

@fgeek
Copy link

fgeek commented Jan 16, 2015

Yes, thanks! :)

@rchavik
Copy link
Member

rchavik commented Jan 16, 2015

Cool.

Thanks for helping with security guys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants