qutimdevelop team mailing list archive

Thread
Date

[Bug 1036545] Re: Unauthorized Remote JS Code Execution

To: qutimdevelop@xxxxxxxxxxxxxxxxxxx
From: Tretyakov R <roman@xxxxxxxx>
Date: Mon, 23 Sep 2013 19:27:32 -0000
Reply-to: Bug 1036545 <1036545@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: qutim
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of QutIM
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1036545

Title:
  Unauthorized Remote JS Code Execution

Status in Multiplatform instant messenger:
  Fix Released

Bug description:
  QutIM
  Version 0.3 and, possibly, earlier

  
  Impact

  Sverity:   Medium
  Impact type:         Unauthorized Remote JS Code Execution
  Access Vector:        Remote

  CVSS v2:
  Base Score:          5.4
  Vector:                 (AV:A/AC:M/Au:N/C:P/I:P/A:P)

  CVE:   Not assigned

  
  Vulnerability Description

  The specialists of Positive Research, the Positive Technologies
  company, detected Unauthorized Remote JS Code Execution in the QutIM
  application.

  The vulnerability allows an attacker to send a specially crafted massage with JS code, and will potentially be executed on the recipient’s side.
  Example:

  <svg onload=”alert(1)”>

  The vulnerability was detected by Mikhail Firstov, Positive Research
  Center (Positive Technologies Company)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qutim/+bug/1036545/+subscriptions

References

[Bug 1036545] [NEW] Unauthorized Remote JS Code Execution
From: Yury, 2012-08-14