[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY] CVE-2015-5349: Apache Directory Studio command injection vulnerability

To: users@xxxxxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxxxxx, security@xxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SECURITY] CVE-2015-5349: Apache Directory Studio command injection vulnerability
From: Stefan Seelmann <seelmann@xxxxxxxxxx>
Date: Sat, 2 Jan 2016 15:32:51 +0100

CVE-2015-5349: Apache Directory Studio command injection vulnerability

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- Apache LDAP Studio 0.6.0 to 0.8.1
- Apache Directory Studio 1.0.0 to 2.0.0-M9

Description:
The CSV export didn’t escape the fields properly. Malicious users can
put specially crafted values into the LDAP server. When a user exports
that data into CSV formatted file, and subsequently opens it with a
spreadsheet application, the data is interpreted as a formula and executed.

Mitigation:
Users should upgrade to Apache Directory Studio 2.0.0-M10

Credit:
This issue was discovered by Muhammad Shahmeer Amir.

Prev by Date: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag
Next by Date: Open Audit SQL Injection Vulnerability
Previous by thread: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag
Next by thread: Open Audit SQL Injection Vulnerability
Index(es):
- Date
- Thread