############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # CVE ID : CVE-2013-1413 # CSNC ID: CSNC-2013-003 # Product: i-doit # Vendor: synetics Gesellschaft für Systemintegration mbH # Subject: Cross-site Scripting - XSS # Risk: High # Effect: Remotely exploitable # Author: Stephan Rickauer (stephan.rickauer@csnc.ch) # Date: March 1st 2013 # ############################################################# Introduction: ------------- Compass Security AG discovered multiple security flaws in the i-doit CMDB web application. Vulnerable: ----------- - i-doit version prior to 1.0 Pro and 0.9.9-7 Open - i-doit version after 1.0 Pro with disabled input filter (by default) Patches: -------- Version 1.0.2 Pro has received a new configure option to 'sanitize user input' which defaults to off and has to be manually enabled. Description: ------------ The i-doit web application does not properly encode output of user data in various places. Exploiting this vulnerability leads to so-called cross-site scripting (XSS) and allows execution of JavaScript code in the context of the user's session, e.g. to impersonate logged-in i-doit CMDB users. Milestones: ----------- 2013-01-20 Vulnerability discovered 2013-01-20 Vendor notified 2013-01-20 CVE requested at MITRE.org 2013-01-21 Vendor contact established, provided with technical details 2013-01-21 CVE-ID assigned by MITRE 2013-01-21 Acknowledgement of vulnerability by vendor and agreement of advisory release schedule 2013-01-28 More XSS vulnerabilites identified, vendor updated 2013-02-20 Release of patched vendor software 2013-03-01 Public release of advisory References: ----------- http://www.i-doit.org http://www.i-doit.com http://www.csnc.ch