Vulnerability information =============== Date: 13th January 2016 Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8 Vendor: OpenVAS Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N) Description =============== It has been identified that Greenbone Security Assistant (GSA) is vulnerable to cross site scripting due to a improper handling of the parameters of the get_aggregate command. Given the attacker has access to a session token of the browser session, the cross site scripting can be executed. OpenVAS-7 is not affected. Fix =============== OpenVAS recommends that the publicly available patches are applied. If building from source, then patches r24056 (for Greenbone Security Assistant 6.0.x of OpenVAS-8) should be obtained from the OpenVAS SVN repository. For trunk (beta status of OpenVAS-9) this was solved with r24055. A fresh tarball containing the latest stable release of Greenbone Security Assistant 6.0 (OpenVAS-8) can be obtained from: http://wald.intevation.org/frs/download.php/2283/greenbone-security-assistant-6.0.8.tar.gz In the event that OpenVAS has been supplied as part of a distribution then the vendor or organisation concerned should be contacted for a patch. Full advisory =============== See [1]. Timeline =============== - 07.01.2016: XSS discovered and reported to vendor. - 08.01.2016, 08:00: Acknowledgement from vendor and info that fix is already in progress. - 08.01.2016, 17:30: Fix ready, QA and testing needed - 09.01.2016: Update released for Greenbone Security Manager: Advisory GBSA 2016-01 [2] - 13.01.2016: Update released OpenVAS: Advisory OVSA 20160113 [1] - 18.01.2016: CVE-2016-1926 assigned by MITRE - 20.01.2016: Blogpost released [3] References =============== - [1] http://www.openvas.org/OVSA20160113.html - [2] http://www.greenbone.net/technology/gbsa2016-01.html - [3] https://en.internetwache.org/cve-2016-1926-xss-in-the-greenbone-security-assistant-20-01-2016/ Regards, Sebastian Neef