CERTA-2002-AVI-207
Vulnerability from certfr_avis

Les protections de konqueror contre l'exécution du javascript pour certains domaines ne fonctionnent pas dans les sous-cadres de pages (sub-frames).

Description

Le code javascript peut s'exécuter, sans le contrôle de Konqueror, dans les sous-cadres de pages (sub-frames) et donc permet une attaque de type « Cross Site Scripting ».

Contournement provisoire

Désactiver l'emploi des javascripts.

Solution

Appliquer le correctif disponible en téléchargement sur le site de KDE (consulter la section documentation) ou installer la version 3.0.3a de kdelibs.

Tout système possédant KDE en version 2.2.2, 3.0 à 3.0.3 est vulnérable.

Impacted products
Vendor Product Description
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eTout syst\u00e8me poss\u00e9dant KDE en version  2.2.2, 3.0 \u00e0 3.0.3 est vuln\u00e9rable.\u003c/p\u003e",
  "content": "## Description\n\nLe code javascript peut s\u0027ex\u00e9cuter, sans le contr\u00f4le de Konqueror, dans\nles sous-cadres de pages (sub-frames) et donc permet une attaque de type\n\u00ab Cross Site Scripting \u00bb.\n\n## Contournement provisoire\n\nD\u00e9sactiver l\u0027emploi des javascripts.\n\n## Solution\n\nAppliquer le correctif disponible en t\u00e9l\u00e9chargement sur le site de KDE\n(consulter la section documentation) ou installer la version 3.0.3a de\nkdelibs.\n",
  "cves": [],
  "initial_release_date": "2002-09-13T00:00:00",
  "last_revision_date": "2002-09-17T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 #20020908-2 de KDE :",
      "url": "http://www.kde.org/info/security/advisory-20020908-2.txt"
    }
  ],
  "reference": "CERTA-2002-AVI-207",
  "revisions": [
    {
      "description": "version initiale ;",
      "revision_date": "2002-09-13T00:00:00.000000"
    },
    {
      "description": "ajout de l\u0027avis debian.",
      "revision_date": "2002-09-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    },
    {
      "description": "Divulgation de donn\u00e9es"
    }
  ],
  "summary": "Les protections de konqueror contre l\u0027ex\u00e9cution du javascript pour\ncertains domaines ne fonctionnent pas dans les sous-cadres de pages\n(sub-frames).\n",
  "title": "Contournement des r\u00e8gles de s\u00e9curit\u00e9 dans Konqueror",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis #20020908-2 de KDE",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.