http://bugzilla.opensuse.org/show_bug.cgi?id=1182123 Bug ID: 1182123 Summary: VUL-0: mumble: non-http/https URL schemes in website field Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: i@marguerite.su Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: Community User Blocker: --- Fixed in Mumble 1.3.4:

Fixed: Security vulnerability caused by allowing non http/https URL schemes in public server

From commit: Our public server list registration script doesn't have an URL scheme whitelist for the website field. Turns out a malicious server can register itself with a dangerous URL in an attempt to attack a user's machine. User interaction is required, as the URL has to be opened by right-clicking on the server entry and clicking on Open Webpage. [.fix is a ..] client-side whitelist, which only allows http and https schemes. References: https://github.com/mumble-voip/mumble/pull/4733 https://github.com/mumble-voip/mumble/commit/817d2c1a03cdeb0d951b0460c5c03c5... https://github.com/mumble-voip/mumble/pull/4739 https://github.com/mumble-voip/mumble/commit/6b54dbca8589140d5ae2ed9b0eb8959... -- You are receiving this mail because: You are on the CC list for the bug.