Ubuntu Security Notice 4609-1 - Fabian Henneke discovered that GOsa incorrectly handled client cookies. An authenticated user could exploit this with a crafted cookie to perform file deletions in the context of the user account that runs the web server. It was discovered that GOsa incorrectly handled user access control. A remote attacker could use this issue to log into any account with a username containing the word "success". Various other issues were also addressed.
daa46d595ce73c679a0617cf76033ccd2ccb549456af6f754422eaa95cc0f686
Debian Linux Security Advisory 4239-1 - Fabian Henneke discovered a cross-site scripting vulnerability in the password change form of GOsa, a web-based LDAP administration program.
3c452dee04b87f036e376510b820d7c96fefdc62a36c4d011303a28aafe04163