SB2016041322 - Multiple vulnerabilities in Debian Linux

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2016-2058)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via an acknowledgement message, which is not properly handled in the "status" page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Buffer overflow (CVE-ID: CVE-2016-2054)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple buffer overflows in xymond/xymond.c in xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a long filename, involving handling a "config" command.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html
• http://www.debian.org/security/2016/dsa-3495
• http://www.securityfocus.com/archive/1/537522/100/0/threaded
• https://sourceforge.net/p/xymon/code/7892/
• http://lists.xymon.com/archive/2016-February/042986.html
• https://sourceforge.net/p/xymon/code/7859/
• https://sourceforge.net/p/xymon/code/7860/