Date: Fri, 29 Mar 2024 08:57:53 +0000 (UTC) Message-ID: <1787110483.4073.1711702673152@skald.opmantek.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_4072_250945226.1711702673151" ------=_Part_4072_250945226.1711702673151 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This vulnerability affects all installations of Open-AudIT prior to vers= ion 1.6.2.
A patched version of Open-AudIT (1.6.2) is available from http://www.open-audit.org/downloads.php and https://opmantek.com/network-tools-download/.
Users are advised to upgrade ASAP.
A vulnerability affecting the web view files is caused because of insuff= icient output escaping. The vulnerability requires an Admin level user to p= urposely insert javascript into a field that can be displayed in the web pa= ges. This issue has been addressed by a review of all web view files in Ope= n-AudIT to ensure all output is sufficiently escaped before being sent to t= he browser.
The conditions of successful exploitation are that the attacker must hav= e Admin level access to Open-AudIT and maliciously insert javascript code t= o a field that is (was) not correctly escaped prior to browser output.
Open-AudIT 1.6 for Windows and earlier. Open-AudIT Enterprise is not aff= ected by this vulnerability.
A patch for the issue described in this bulletin is available in the new= ly released Open-AudIT v1.6.2. This release is available now on ht= tp://www.openaudit.org and https://opmantek.com.
Upgrade to Open-AudIT 1.6.2
The vulnerability was addressed by Opmantek and upgrading to Open-AudIT = 1.6.2 will include this fix and remove the vulnerability.
The preferred method of mitigation is an upgrade to Open-AudIT 1.6.2.
Customers can further mitigate this threat by proactively changing the d= efault passwords as shipped with Open-AudIT.