Two of the May 2013 security vulnerabilities also affect the MobileUI extension, which provides a mobile interface for RT versions 3.8.x. The extension was merged with core RT starting in version 4.0.0, and the respective vulnerabilies in RT 4.0.0 to 4.0.12 were fixed by the May 2013 patches and RT 4.0.13.
All versions of RT-Extension-MobileUI are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. This vulnerability is assigned CVE-2013-3736. All versions of RT-Extension-MobileUI create a limited session re-use vulnerability when using the file-based session store, Apache::Session::File, in addition to an older version of various non-core authentication extensions such as RT::Authen::ExternalAuth less than version 0.14. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. This vulnerability is assigned CVE-2013-3737. A new version of RT-Extension-MobileUI is available for download below. http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.04.tar.gz 3feaafcee94c857ac2875a5f5b5b30c4f2d64c23 RT-Extension-MobileUI-1.04.tar.gz The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
-- RT Training in Seattle, June 19-20: http://bestpractical.com/training