Vulnerability information
===============
Date: 13th January 2016
Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N)
Description
===============
It has been identified that Greenbone Security Assistant (GSA) is vulnerable to cross site scripting due to a improper handling of the parameters of the get_aggregate command. Given the attacker has access to a session token of the browser session, the cross site scripting can be executed. OpenVAS-7 is not affected.
Fix
===============
OpenVAS recommends that the publicly available patches are applied. If building from source, then patches r24056 (for Greenbone Security Assistant 6.0.x of OpenVAS-8) should be obtained from the OpenVAS SVN repository. For trunk (beta status of OpenVAS-9) this was solved with r24055.
A fresh tarball containing the latest stable release of Greenbone Security Assistant 6.0 (OpenVAS-8) can be obtained from:
http://wald.intevation.org/frs/download.php/2283/greenbone-security-assistant-6.0.8.tar.gz
In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch.
Full advisory
===============
See [1].
Timeline
===============
- 07.01.2016: XSS discovered and reported to vendor.
- 08.01.2016, 08:00: Acknowledgement from vendor and info that fix is already in progress.
- 08.01.2016, 17:30: Fix ready, QA and testing needed
- 09.01.2016: Update released for Greenbone Security Manager: Advisory GBSA 2016-01 [2]
- 13.01.2016: Update released OpenVAS: Advisory OVSA 20160113 [1]
- 18.01.2016: CVE-2016-1926 assigned by MITRE
- 20.01.2016: Blogpost released [3]
References
===============
- [1] http://www.openvas.org/OVSA20160113.html
- [2] http://www.greenbone.net/technology/gbsa2016-01.html
- [3] https://en.internetwache.org/cve-2016-1926-xss-in-the-greenbone-security-assistant-20-01-2016/
Regards,
Sebastian Neef