SB2011102302 - Multiple vulnerabilities in empathy

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2011-3635)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2011-4170)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://git.gnome.org/browse/empathy/commit/?id=739aca418457de752be13721218aaebc74bd9d36
• http://osvdb.org/76485
• http://secunia.com/advisories/46510
• http://secunia.com/advisories/46939
• http://www.securityfocus.com/bid/50323
• https://bugzilla.gnome.org/show_bug.cgi?id=662035
• https://bugzilla.redhat.com/show_bug.cgi?id=747599