https://bugzilla.novell.com/show_bug.cgi?id=664505 https://bugzilla.novell.com/show_bug.cgi?id=664505#c0 Summary: VUL-0: calibre: XSS and file disclosure Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: thomas@novell.com QAContact: qa@suse.de CC: security-team@suse.de Found By: --- Blocker: --- Hi. There is a security bug in package 'calibre'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: http://bugs.debian.org/608822 Original posting: http://bugs.debian.org/608822 http://www.waraxe.us/advisory-77.html 1. Directory Traversal Vulnerability in Calibre Content Server --------------------------------------------------------------- Reason: failure to sufficiently sanitize user-supplied input data Attack vector: specially crafted HTTP GET request Preconditions: 1. Calibre Content Server must be turned on (off by default) 2. If Username and Password set, they must be known (no password by default) Impact: remote attacker can read arbitrary files on the target system [...] 2. Reflected XSS Vulnerability in Calibre Content Server -------------------------------------------------------- Reason: failure to sufficiently sanitize user-supplied input data Attack vector: user-supplied GET parameter "query" Preconditions: 1. Calibre Content Server must be turned on (off by default) 2. If Username and Password set, they must be known (no password by default) [...] -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.