CERTA-2002-AVI-207

Vulnerability from certfr_avis - Published: - Updated:

Les protections de konqueror contre l'exécution du javascript pour certains domaines ne fonctionnent pas dans les sous-cadres de pages (sub-frames).

Description

Le code javascript peut s'exécuter, sans le contrôle de Konqueror, dans les sous-cadres de pages (sub-frames) et donc permet une attaque de type « Cross Site Scripting ».

Contournement provisoire

Désactiver l'emploi des javascripts.

Solution

Appliquer le correctif disponible en téléchargement sur le site de KDE (consulter la section documentation) ou installer la version 3.0.3a de kdelibs.

Tout système possédant KDE en version 2.2.2, 3.0 à 3.0.3 est vulnérable.

Impacted products
Vendor Product Description
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eTout syst\u00e8me poss\u00e9dant KDE en version  2.2.2, 3.0 \u00e0 3.0.3 est vuln\u00e9rable.\u003c/p\u003e",
  "content": "## Description\n\nLe code javascript peut s\u0027ex\u00e9cuter, sans le contr\u00f4le de Konqueror, dans\nles sous-cadres de pages (sub-frames) et donc permet une attaque de type\n\u00ab Cross Site Scripting \u00bb.\n\n## Contournement provisoire\n\nD\u00e9sactiver l\u0027emploi des javascripts.\n\n## Solution\n\nAppliquer le correctif disponible en t\u00e9l\u00e9chargement sur le site de KDE\n(consulter la section documentation) ou installer la version 3.0.3a de\nkdelibs.\n",
  "cves": [],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 #20020908-2 de KDE :",
      "url": "http://www.kde.org/info/security/advisory-20020908-2.txt"
    }
  ],
  "reference": "CERTA-2002-AVI-207",
  "revisions": [
    {
      "description": "version initiale ;",
      "revision_date": "2002-09-13T00:00:00.000000"
    },
    {
      "description": "ajout de l\u0027avis debian.",
      "revision_date": "2002-09-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Divulgation de donn\u00e9es"
    }
  ],
  "summary": "Les protections de konqueror contre l\u0027ex\u00e9cution du javascript pour\ncertains domaines ne fonctionnent pas dans les sous-cadres de pages\n(sub-frames).\n",
  "title": "Contournement des r\u00e8gles de s\u00e9curit\u00e9 dans Konqueror",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis #20020908-2 de KDE",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.