Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability #494

Closed
mschop opened this issue Nov 11, 2018 · 9 comments
Closed

Security Vulnerability #494

mschop opened this issue Nov 11, 2018 · 9 comments
Milestone

Comments

@mschop
Copy link

@mschop mschop commented Nov 11, 2018

Hi,

I found a security vulnerability in engelsystem. How shall I provide more details?

Best Regards
mschop

@MyIgel
Copy link
Member

@MyIgel MyIgel commented Nov 11, 2018

Hi @mschop, afaik there is no explicit address for this, so you should write a Message to the contact@engelsystem.de and @msquare will answer you. Afaik he is busy atm so it would be nice if you could include me in the conversation too ;)

@msquare
Copy link
Member

@msquare msquare commented Nov 11, 2018

Hi, please provide the details per e-mail to contact@engelsystem.de - or directly to me msquare@notrademark.de.

Thank you!

@mschop
Copy link
Author

@mschop mschop commented Nov 13, 2018

CVE-2018-19182

@MyIgel
Copy link
Member

@MyIgel MyIgel commented Nov 13, 2018

-v?

@mschop
Copy link
Author

@mschop mschop commented Nov 13, 2018

??

MyIgel added a commit to MyIgel/engelsystem that referenced this issue Nov 20, 2018
* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes engelsystem#494 (Security Vulnerability)
@MyIgel MyIgel added this to the 35c3 milestone Nov 20, 2018
@msquare msquare closed this in 944c29b Nov 21, 2018
msquare added a commit to MyIgel/engelsystem that referenced this issue Nov 24, 2018
* Ensure that the form is submitted with a post request
* Replaced several links with forms

Closes engelsystem#494 (Security Vulnerability)
@mschop
Copy link
Author

@mschop mschop commented Dec 22, 2018

@msquare is the fix already released?

@msquare
Copy link
Member

@msquare msquare commented Dec 22, 2018

Since the installation is still mostly done by cloning the repository, this may be seen as released, i guess.

@mschop
Copy link
Author

@mschop mschop commented Dec 22, 2018

@msquare Ok. Thanks. Then I publish the details right now for the CVE.

Those are the details regarding the security vulnerability:

There was no CSRF protection mechnism in engelsystem. This allowed attackers, to slip an user a spoofed request.

@msquare
Copy link
Member

@msquare msquare commented Dec 22, 2018

Yes, ok. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants