qutimdevelop team mailing list archive
-
qutimdevelop team
-
Mailing list archive
-
Message #00622
[Bug 1036545] [NEW] Unauthorized Remote JS Code Execution
*** This bug is a security vulnerability ***
Private security bug reported:
QutIM
Version 0.3 and, possibly, earlier
Impact
Sverity: Medium
Impact type: Unauthorized Remote JS Code Execution
Access Vector: Remote
CVSS v2:
Base Score: 5.4
Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)
CVE: Not assigned
Vulnerability Description
The specialists of Positive Research, the Positive Technologies company,
detected Unauthorized Remote JS Code Execution in the QutIM application.
The vulnerability allows an attacker to send a specially crafted massage with JS code, and will potentially be executed on the recipient’s side.
Example:
<svg onload=”alert(1)”>
The vulnerability was detected by Mikhail Firstov, Positive Research
Center (Positive Technologies Company)
** Affects: qutim
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of QutIM
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1036545
Title:
Unauthorized Remote JS Code Execution
Status in Multiplatform instant messenger:
New
Bug description:
QutIM
Version 0.3 and, possibly, earlier
Impact
Sverity: Medium
Impact type: Unauthorized Remote JS Code Execution
Access Vector: Remote
CVSS v2:
Base Score: 5.4
Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)
CVE: Not assigned
Vulnerability Description
The specialists of Positive Research, the Positive Technologies
company, detected Unauthorized Remote JS Code Execution in the QutIM
application.
The vulnerability allows an attacker to send a specially crafted massage with JS code, and will potentially be executed on the recipient’s side.
Example:
<svg onload=”alert(1)”>
The vulnerability was detected by Mikhail Firstov, Positive Research
Center (Positive Technologies Company)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qutim/+bug/1036545/+subscriptions
Follow ups
References
