Vulnerability CVE-2011-1425


Published: 2011-04-04   Modified: 2012-02-13

Description:
xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Apple -> Webkit 
Aleksey -> Xml security library 

 References:
https://bugzilla.redhat.com/show_bug.cgi?id=692133
http://www.aleksey.com/pipermail/xmlsec/2011/009120.html
http://git.gnome.org/browse/xmlsec/commit/?id=35eaacde6093d6711339754fc2146341b8b9f5fa
http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780
https://bugs.webkit.org/show_bug.cgi?id=52688
http://xforce.iss.net/xforce/xfdb/66506
http://www.vupen.com/english/advisories/2011/1172
http://www.vupen.com/english/advisories/2011/1010
http://www.vupen.com/english/advisories/2011/0858
http://www.vupen.com/english/advisories/2011/0855
http://www.securitytracker.com/id?1025284
http://www.securityfocus.com/bid/47135
http://www.redhat.com/support/errata/RHSA-2011-0486.html
http://www.mandriva.com/security/advisories?name=MDVSA-2011:063
http://www.debian.org/security/2011/dsa-2219
http://trac.webkit.org/changeset/79159
http://secunia.com/advisories/44423
http://secunia.com/advisories/44167
http://secunia.com/advisories/43920

Copyright 2024, cxsecurity.com

 

Back to Top