Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

This vulnerability affects all installations of Open-AudIT prior to version 2.2.

...

Users are advised to upgrade ASAP when 2.2 is released.

Details

A vulnerability affecting the web view files is caused because of insufficient output escaping. The vulnerability requires an Admin level user to purposely insert javascript into a field that can be displayed in the web pages. This issue has been addressed by a review of all web view files in Open-AudIT Professional & Enterprise to ensure all output is sufficiently escaped before being sent to the browser.

Severity: Low

The conditions of successful exploitation are that the attacker must have Admin level access to Open-AudIT and maliciously insert javascript code to a field that is (was) not correctly escaped prior to browser output.

Products Affected

Open-AudIT Professional and Enterprise 2.1 and earlier. Open-AudIT Community is not affected by this vulnerability.

Available Updates

A patch for the issue described in this bulletin is available in the soon to be released Open-AudIT v2.2. This release will be available shortly from http://www.openaudit.org and https://opmantek.com.

Workarounds and Mitigations

Upgrade to Open-AudIT 2.2.

...