New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflecting XSS vulnerability in administrative backend of Croogo v.2.2.0 #599

Closed
ghost opened this Issue Jan 3, 2015 · 8 comments

Comments

Projects
None yet
2 participants
@ghost

ghost commented Jan 3, 2015

Dear ladies and gentlemen.

Unfortunately, I haven't found a clear section on your webpage where to send security related issues to via mail so I'm using this platform.

I found a reflecting XSS vulnerability in your product Croogo v.2.2.0 residing in the administrative backend which could be abused to trick an administrator to click a crafted link which executes arbitrary HTML- and/or JavaScript-code.

I am releasing an advisory on my blog (without technical details). Please provide me an email address where I can send my informations to, so you can patch this vulnerability. If I don't here anything from you until 17th January 2015, I am releasing the technical details as well.

Thank you.

Steffen Rösemann

@rchavik

This comment has been minimized.

Show comment
Hide comment
@rchavik

rchavik Jan 4, 2015

Member

Hi Stefan,

Thanks for the report. Please forward the details to security@croogo.org.

Member

rchavik commented Jan 4, 2015

Hi Stefan,

Thanks for the report. Please forward the details to security@croogo.org.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jan 4, 2015

Done! :-)

ghost commented Jan 4, 2015

Done! :-)

@rchavik rchavik added this to the 2.2.1 milestone Jan 12, 2015

@rchavik

This comment has been minimized.

Show comment
Hide comment
@rchavik

rchavik Jan 12, 2015

Member

Closing since 2.2.1 has been released.

Thank you

Member

rchavik commented Jan 12, 2015

Closing since 2.2.1 has been released.

Thank you

@rchavik rchavik closed this Jan 12, 2015

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek Jan 15, 2015

Could you add a web page for information how to report security issues in the future, thanks!

fgeek commented Jan 15, 2015

Could you add a web page for information how to report security issues in the future, thanks!

@rchavik

This comment has been minimized.

Show comment
Hide comment
@rchavik

rchavik Jan 16, 2015

Member

Hi,

We've brought back the "Support" menu in croogo.org.

The URL https://croogo.org/security has also been created. It redirects to the same Support page (with direct anchor link #security).

Do you think it will suffice?

Member

rchavik commented Jan 16, 2015

Hi,

We've brought back the "Support" menu in croogo.org.

The URL https://croogo.org/security has also been created. It redirects to the same Support page (with direct anchor link #security).

Do you think it will suffice?

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jan 16, 2015

From my point of view, it will suffice as I researched your official webpage for such a hint on how to send reports like mine to you. Now I would know. Do you agree Henri?

ghost commented Jan 16, 2015

From my point of view, it will suffice as I researched your official webpage for such a hint on how to send reports like mine to you. Now I would know. Do you agree Henri?

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek Jan 16, 2015

Yes, thanks! :)

fgeek commented Jan 16, 2015

Yes, thanks! :)

@rchavik

This comment has been minimized.

Show comment
Hide comment
@rchavik

rchavik Jan 16, 2015

Member

Cool.

Thanks for helping with security guys.

Member

rchavik commented Jan 16, 2015

Cool.

Thanks for helping with security guys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment