All incidents

XSS on resource URLs

Summary

  • CVE: CVE-2017-1000442.
  • Product affected: Passbolt API, Passbolt Docker.
  • Version affected: v1.6.4 and below.
  • Version fixed: v1.6.5
  • Affected component: Resource url
  • Vulnerability Type: Cross Site Scripting (XSS)

Impact of issue

Attack vector / exploitation

Credits

Other information

How did this happen?

Are there other XSS vulnerability present?

What are you doing about it?

Event timeline

  • 2017-09-13 22:30:00 CET: Passbolt team received a security vulnerability report from Sumit Sahoo.
  • 2017-09-14 07:00:00 CET: early morning we acknowledge the issue, start working on a fix and start looking for similar issues in other part of the code.
  • 2017-09-14 14:00:00 CET: We deploy a fix on the demo server
  • 2017-09-14 14:00:00 CET: We notify the reporter that a fix has been deployed.
  • 2017-09-14 14:30:00 CET: We publish the fix on github, the release notes and this report.

Current status:

Last updated: 2017-09-14 16:40:00 CET
Flag of European UnionMade in Europe. Privacy by default.