ID CVE-2007-1462
Summary The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:linux:*:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:linux:*:*:*:*:*:*:*:*
  • cpe:2.3:a:conga:conga:*:*:*:*:*:*:*:*
    cpe:2.3:a:conga:conga:*:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 15-11-2008 - 06:44)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
bugzilla
id 1618300
title CVE-2007-1462 security flaw
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • comment luci is earlier than 0:0.9.2-6.el5
          oval oval:com.redhat.rhba:tst:20070331001
        • comment luci is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20070331002
      • AND
        • comment ricci is earlier than 0:0.9.2-6.el5
          oval oval:com.redhat.rhba:tst:20070331003
        • comment ricci is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20070331004
rhsa
id RHBA-2007:0331
released 2006-07-20
severity Low
title RHBA-2007:0331: conga bug fix update (Low)
rpms
  • conga-debuginfo-0:0.9.2-6.el5
  • luci-0:0.9.2-6.el5
  • ricci-0:0.9.2-6.el5
refmap via4
confirm https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=228637
osvdb 35086
Last major update 15-11-2008 - 06:44
Published 15-03-2007 - 20:19
Last modified 15-11-2008 - 06:44
Back to Top