[ixpmanager-announce] [RELEASE] v6.3.1 - XSS Security Fixes, Small Bug Fixes and Minor Improvements
Barry O'Donovan (INEX)
barry.odonovan at inex.ie
Tue Jun 20 11:08:25 IST 2023
We are pleased to announce the immediate availability of IXP Manager
v6.3.1.
This release primarily fixes a number of XSS security issues in IXP
Manager. These were discovered and responsibly disclosed by the GRNET IT
Security Team and we thank them for that.
This release is a bugfix release and so there are no database schema
changes.
Full details are available at:
https://github.com/inex/IXP-Manager/releases/tag/v6.3.1
Additional note regarding the security updates:
This release includes a fix for five XSS security bugs.
We judge four of these bugs have a CVSS score of
CVSS:0.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N. These can only be
exploited by an authenticated superadmin user who would enter
specifically crafted JavaScript code in specific input fields.
The final we judge as CVSS:4.6/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L as an
attack exploiting this could be possible from a sufficiently
sophisticated and motivated non-admin user who could find a way to
inject a XSS payload into a logged database object and could then
convince a superadmin to view that database change in the UI log tool.
Credit to the GRNET IT Security Team for responsibly disclosing these
issues.
Kind regards,
Barry O'Donovan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager-announce/attachments/20230620/cf8812b5/attachment.htm>
More information about the ixpmanager-announce
mailing list