CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11187
https://notcve.org/view.php?id=CVE-2019-11187
Incorrect Access Control in the LDAP class of GONICUS GOsa through 2019-04-11 allows an attacker to log into any account with a username containing the case-insensitive substring "success" when an arbitrary password is provided. Un Control de Acceso Incorrecto en la clase LDAP de GONICUS GOsa hasta el 11-04-2019, permite que un atacante inicie sesión en cualquier cuenta con un nombre de usuario que contiene la subcadena insensible a mayúsculas y minúsculas "success" cuando se proporciona una contraseña arbitraria. • https://github.com/gonicus/gosa/commits/master https://lists.debian.org/debian-lts-announce/2019/08/msg00009.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 1%CPEs: 3EXPL: 0CVE-2018-1000528
https://notcve.org/view.php?id=CVE-2018-1000528
GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001. GONICUS GOsa en versiones anteriores al commit con ID 56070d6289d47ba3f5918885954dcceb75606001 contiene una vulnerabilidad de Cross-Site Scripting (XSS) en el formulario de cambio de contraseña (html/password.php, #308) que puede resultar en la inyección de scripts web o HTML arbitrarios. El ataque parece ser explotable si una víctima abre una página web especialmente manipulada. • https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001 https://github.com/gosa-project/gosa-core/issues/14 https://lists.debian.org/debian-lts-announce/2018/07/msg00028.html https://www.debian.org/security/2018/dsa-4239 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •