Gosa Project CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Gosa Project CVE published 2017-02-13

CVE-2015-8771

CVE-2015-8771 is a critical remote code execution issue in GOsa associated with the generate_smb_nt_hash function in include/functions.inc. According to the NVD record, a crafted password can trigger arbitrary command execution, and the issue is rated CVSS 9.8 with CWE-94 (code injection) as the primary weakness. A patch is referenced in the upstream GitHub commit and in the oss-security mailing list advi [truncated]

MEDIUM Gosa Project CVE published 2017-02-13

CVE-2014-9760

CVE-2014-9760 describes a cross-site scripting (XSS) flaw in GOsa's login page handling. NVD identifies the issue in the displayLogin function in html/index.php, where remote attackers can inject arbitrary web script or HTML via the username field. The NVD record lists the issue as CVSS 3.1 6.1 (MEDIUM), with network attack vector and user interaction required.