MDVSA-2010:178
- Package name
- ocsinventory
- Date
- 2010-09-12
- Advisory ID
- MDVSA-2010:178
- Affected versions
- MES5 i586 , MES5 x86_64
Problem description
Multiple vulnerabilities has been found and corrected in ocsinventory:
Multiple cross-site scripting (XSS) vulnerabilities in
ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers
to inject arbitrary web script or HTML via (1) the query string, (2)
the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these
details are obtained from third party information (CVE-2010-1594).
Multiple SQL injection vulnerabilities in ocsreports/index.php in
OCS Inventory NG 1.02.1 allow remote attackers to execute arbitrary
SQL commands via the (1) c, (2) val_1, or (3) onglet_bis parameter
(CVE-2010-1595).
Multiple SQL injection vulnerabilities in OCS Inventory NG before
1.02.3 allow remote attackers to execute arbitrary SQL commands via
(1) multiple inventory fields to the search form, reachable through
index.php; or (2) the Software name field to the All softwares search
form, reachable through index.php. NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information (CVE-2010-1733).
This upgrade provides ocsinventory 1.02.3 which is not vulnerable
for these security issues.
Updated packages
MES5 i586
a9045d602b87e3da6e0d24328ff66352 mes5/i586/ocsinventory-reports-1.02.3-0.1mdvmes5.1.noarch.rpm 99043a5be495e958fc3618f7af2a3010 mes5/i586/ocsinventory-server-1.02.3-0.1mdvmes5.1.noarch.rpm d2e957fa895a06682cf4278d4e3caf62 mes5/SRPMS/ocsinventory-1.02.3-0.1mdvmes5.1.src.rpm
MES5 x86_64
7a2ab2ccba209d24705b554d51dc09f0 mes5/x86_64/ocsinventory-reports-1.02.3-0.1mdvmes5.1.noarch.rpm de6b2e60f3021eb9757b32eedb0a35fc mes5/x86_64/ocsinventory-server-1.02.3-0.1mdvmes5.1.noarch.rpm d2e957fa895a06682cf4278d4e3caf62 mes5/SRPMS/ocsinventory-1.02.3-0.1mdvmes5.1.src.rpm