Keep security advisories sorted by date
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/8787624d Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/8787624d Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/8787624d Branch: refs/heads/master Commit: 8787624d041b9bfa9417f12e8ea3eca57d6b5813 Parents: 076cc74 Author: Francesco Chicchiriccò <[email protected]> Authored: Mon Mar 19 12:14:21 2018 +0100 Committer: Francesco Chicchiriccò <[email protected]> Committed: Mon Mar 19 12:14:35 2018 +0100 ---------------------------------------------------------------------- src/site/xdoc/security.xml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/8787624d/src/site/xdoc/security.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml index fde07b9..f71503d 100644 --- a/src/site/xdoc/security.xml +++ b/src/site/xdoc/security.xml @@ -34,9 +34,9 @@ under the License. <p>If you want to report a vulnerability, please follow <a href="http://www.apache.org/security/";>the procedure</a>.</p> - <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements"> - <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform - malicious operations, including but not limited to file read, file write, and code execution.</p> + <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting"> + <p>An administrator with user search entitlements can recover sensitive security values using the + <code>fiql</code> and <code>orderby</code> parameters.</p> <p> <b>Severity</b> @@ -67,7 +67,7 @@ under the License. <p> <b>Mitigation</b> </p> - <p>Do not assign report and template entitlements to any administrator.</p> + <p>Do not assign user search entitlements to any administrator.</p> <p> <b>Fixed in</b> @@ -79,12 +79,12 @@ under the License. </ul> </p> - <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321";>full CVE advisory</a>.</p> + <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322";>full CVE advisory</a>.</p> </subsection> - <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting"> - <p>An administrator with user search entitlements can recover sensitive security values using the - <code>fiql</code> and <code>orderby</code> parameters.</p> + <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements"> + <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform + malicious operations, including but not limited to file read, file write, and code execution.</p> <p> <b>Severity</b> @@ -115,7 +115,7 @@ under the License. <p> <b>Mitigation</b> </p> - <p>Do not assign user search entitlements to any administrator.</p> + <p>Do not assign report and template entitlements to any administrator.</p> <p> <b>Fixed in</b> @@ -127,7 +127,7 @@ under the License. </ul> </p> - <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322";>full CVE advisory</a>.</p> + <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321";>full CVE advisory</a>.</p> </subsection> <subsection name="CVE-2014-3503: Insecure Random implementations used to generate passwords">
