Nom du paquet
ocsinventory
Date
2010-09-12
Advisory ID
MDVSA-2010:178
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in ocsinventory:

Multiple cross-site scripting (XSS) vulnerabilities in
ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers
to inject arbitrary web script or HTML via (1) the query string, (2)
the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these
details are obtained from third party information (CVE-2010-1594).

Multiple SQL injection vulnerabilities in ocsreports/index.php in
OCS Inventory NG 1.02.1 allow remote attackers to execute arbitrary
SQL commands via the (1) c, (2) val_1, or (3) onglet_bis parameter
(CVE-2010-1595).

Multiple SQL injection vulnerabilities in OCS Inventory NG before
1.02.3 allow remote attackers to execute arbitrary SQL commands via
(1) multiple inventory fields to the search form, reachable through
index.php; or (2) the Software name field to the All softwares search
form, reachable through index.php. NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information (CVE-2010-1733).

This upgrade provides ocsinventory 1.02.3 which is not vulnerable
for these security issues.

Updated packages

MES5 i586

 a9045d602b87e3da6e0d24328ff66352  mes5/i586/ocsinventory-reports-1.02.3-0.1mdvmes5.1.noarch.rpm
 99043a5be495e958fc3618f7af2a3010  mes5/i586/ocsinventory-server-1.02.3-0.1mdvmes5.1.noarch.rpm 
 d2e957fa895a06682cf4278d4e3caf62  mes5/SRPMS/ocsinventory-1.02.3-0.1mdvmes5.1.src.rpm

MES5 x86_64

 7a2ab2ccba209d24705b554d51dc09f0  mes5/x86_64/ocsinventory-reports-1.02.3-0.1mdvmes5.1.noarch.rpm
 de6b2e60f3021eb9757b32eedb0a35fc  mes5/x86_64/ocsinventory-server-1.02.3-0.1mdvmes5.1.noarch.rpm 
 d2e957fa895a06682cf4278d4e3caf62  mes5/SRPMS/ocsinventory-1.02.3-0.1mdvmes5.1.src.rpm

References