4.3 - MDVSA-2011:075

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	MDVSA-2011:075	First vendor Publication	2011-04-20
Vendor	Mandriva	Last vendor Modification	2011-04-20
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been found and corrected in kdelibs4:

Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site (CVE-2011-1168).

Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:075

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13867

Oval ID:	oval:org.mitre.oval:def:13867
Title:	USN-1110-1 -- kde4libs vulnerabilities
Description:	kde4libs: KDE 4 core applications An attacker could send crafted input to Konqueror to view sensitive information.
Family:	unix	Class:	patch
Reference(s):	USN-1110-1 CVE-2011-1094 CVE-2011-1168	Version:	5
Platform(s):	Ubuntu 10.10 Ubuntu 9.10 Ubuntu 10.04	Product(s):	kde4libs
Definition Synopsis:
Release section Ubuntu 10.10 is installed AND Installed architecture is all AND Packages section libkio5 DPKG is earlier than 4:4.5.1-0ubuntu8.1 AND libkhtml5 DPKG is earlier than 4:4.5.1-0ubuntu8.1 OR Release section Ubuntu 9.10 is installed AND Installed architecture is all AND kdelibs5 DPKG is earlier than 4:4.3.2-0ubuntu7.3 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND kdelibs5 DPKG is earlier than 4:4.4.5-0ubuntu1.1

Definition Id: oval:org.mitre.oval:def:21872

Oval ID:	oval:org.mitre.oval:def:21872
Title:	RHSA-2011:0464: kdelibs security update (Moderate)
Description:	Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site.
Family:	unix	Class:	patch
Reference(s):	RHSA-2011:0464-01 CVE-2011-1094 CVE-2011-1168	Version:	29
Platform(s):	Red Hat Enterprise Linux 6	Product(s):	kdelibs
Definition Synopsis:
The operating system installed on the system is Red Hat Enterprise Linux 6 Packages section kdelibs-apidocs is earlier than 6:4.3.4-11.el6_0.2 AND kdelibs-common is earlier than 6:4.3.4-11.el6_0.2 AND kdelibs-devel is earlier than 6:4.3.4-11.el6_0.2 AND kdelibs is earlier than 6:4.3.4-11.el6_0.2

Definition Id: oval:org.mitre.oval:def:23600

Oval ID:	oval:org.mitre.oval:def:23600
Title:	ELSA-2011:0464: kdelibs security update (Moderate)
Description:	Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site.
Family:	unix	Class:	patch
Reference(s):	ELSA-2011:0464-01 CVE-2011-1094 CVE-2011-1168	Version:	13
Platform(s):	Oracle Linux 6	Product(s):	kdelibs
Definition Synopsis:
Oracle Linux 6.x rpm test kdelibs-apidocs is earlier than 6:4.3.4-11.el6_0.2 AND kdelibs-common is earlier than 6:4.3.4-11.el6_0.2 AND kdelibs-devel is earlier than 6:4.3.4-11.el6_0.2 AND kdelibs is earlier than 6:4.3.4-11.el6_0.2

Definition Id: oval:org.mitre.oval:def:27884

Oval ID:	oval:org.mitre.oval:def:27884
Title:	DEPRECATED: ELSA-2011-0464 -- kdelibs security update (moderate)
Description:	[6:4.3.4-11.2] - rebase the fix for CVE-2011-1094 [6:4.3.4-11.1] - fixes CVE-2011-1094, CVE-2011-1168
Family:	unix	Class:	patch
Reference(s):	ELSA-2011-0464 CVE-2011-1094 CVE-2011-1168	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	kdelibs
Definition Synopsis:
Oracle Linux 6.x Packages match section kdelibs is earlier than 0:4.3.4-11.el6_0.2 AND kdelibs-apidocs is earlier than 0:4.3.4-11.el6_0.2 AND kdelibs-common is earlier than 0:4.3.4-11.el6_0.2 AND kdelibs-devel is earlier than 0:4.3.4-11.el6_0.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Kde Kde Sc cpe:2.3:a:kde:kde_sc:4.6.1:::::::* cpe:2.3:a:kde:kde_sc:4.6.0:::::::* cpe:2.3:a:kde:kde_sc:4.6:beta2:::::: cpe:2.3:a:kde:kde_sc:4.6:beta1:::::: cpe:2.3:a:kde:kde_sc:4.6:rc2:::::: cpe:2.3:a:kde:kde_sc:4.6:rc1:::::: cpe:2.3:a:kde:kde_sc:4.5.5:::::::* cpe:2.3:a:kde:kde_sc:4.5.4:::::::* cpe:2.3:a:kde:kde_sc:4.5.3:::::::* cpe:2.3:a:kde:kde_sc:4.5.2:::::::* cpe:2.3:a:kde:kde_sc:4.5.1:::::::* cpe:2.3:a:kde:kde_sc:4.5.0:::::::* cpe:2.3:a:kde:kde_sc:4.4.5:::::::* cpe:2.3:a:kde:kde_sc:4.4.4:::::::* cpe:2.3:a:kde:kde_sc:4.4.3:::::::* cpe:2.3:a:kde:kde_sc:4.4.2:::::::* cpe:2.3:a:kde:kde_sc:4.4.1:::::::* cpe:2.3:a:kde:kde_sc:4.4.0:beta1:::::: cpe:2.3:a:kde:kde_sc:4.4.0:rc3:::::: cpe:2.3:a:kde:kde_sc:4.4.0:rc1:::::: cpe:2.3:a:kde:kde_sc:4.4.0:beta2:::::: cpe:2.3:a:kde:kde_sc:4.4.0:::::::* cpe:2.3:a:kde:kde_sc:4.4.0:rc2::::::	23

OpenVAS Exploits

Date	Description
2012-06-06	Name : RedHat Update for kdelibs RHSA-2011:0464-01 File : nvt/gb_RHSA-2011_0464-01_kdelibs.nasl
2011-05-10	Name : Ubuntu Update for kde4libs USN-1110-1 File : nvt/gb_ubuntu_USN_1110_1.nasl
2011-04-22	Name : Fedora Update for libextractor FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_libextractor_fc14.nasl
2011-04-22	Name : Fedora Update for kdemultimedia FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdemultimedia_fc14.nasl
2011-04-22	Name : Fedora Update for kdenetwork FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdenetwork_fc14.nasl
2011-04-22	Name : Fedora Update for kdepimlibs FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdepimlibs_fc14.nasl
2011-04-22	Name : Fedora Update for kdeplasma-addons FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeplasma-addons_fc14.nasl
2011-04-22	Name : Fedora Update for kdesdk FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdesdk_fc14.nasl
2011-04-22	Name : Fedora Update for kdetoys FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdetoys_fc14.nasl
2011-04-22	Name : Fedora Update for kdeutils FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeutils_fc14.nasl
2011-04-22	Name : Fedora Update for koffice FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_koffice_fc14.nasl
2011-04-22	Name : Fedora Update for kphotoalbum FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kphotoalbum_fc14.nasl
2011-04-22	Name : Fedora Update for krename FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_krename_fc14.nasl
2011-04-22	Name : Fedora Update for darktable FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_darktable_fc14.nasl
2011-04-22	Name : Fedora Update for libgexiv2 FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_libgexiv2_fc14.nasl
2011-04-22	Name : Fedora Update for merkaartor FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_merkaartor_fc14.nasl
2011-04-22	Name : Fedora Update for oxygen-icon-theme FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_oxygen-icon-theme_fc14.nasl
2011-04-22	Name : Fedora Update for pyexiv2 FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_pyexiv2_fc14.nasl
2011-04-22	Name : Fedora Update for qtpfsgui FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_qtpfsgui_fc14.nasl
2011-04-22	Name : Fedora Update for rawstudio FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_rawstudio_fc14.nasl
2011-04-22	Name : Fedora Update for shotwell FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_shotwell_fc14.nasl
2011-04-22	Name : Fedora Update for strigi FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_strigi_fc14.nasl
2011-04-22	Name : Fedora Update for ufraw FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_ufraw_fc14.nasl
2011-04-22	Name : Mandriva Update for kdelibs4 MDVSA-2011:075 (kdelibs4) File : nvt/gb_mandriva_MDVSA_2011_075.nasl
2011-04-22	Name : Fedora Update for kdegraphics FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdegraphics_fc14.nasl
2011-04-22	Name : Fedora Update for kdelibs FEDORA-2011-5183 File : nvt/gb_fedora_2011_5183_kdelibs_fc13.nasl
2011-04-22	Name : Fedora Update for exiv2 FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_exiv2_fc14.nasl
2011-04-22	Name : Fedora Update for geeqie FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_geeqie_fc14.nasl
2011-04-22	Name : Fedora Update for gipfel FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gipfel_fc14.nasl
2011-04-22	Name : Fedora Update for gnome-commander FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gnome-commander_fc14.nasl
2011-04-22	Name : Fedora Update for gpscorrelate FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gpscorrelate_fc14.nasl
2011-04-22	Name : Fedora Update for gthumb FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gthumb_fc14.nasl
2011-04-22	Name : Fedora Update for hugin FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_hugin_fc14.nasl
2011-04-22	Name : Fedora Update for immix FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_immix_fc14.nasl
2011-04-22	Name : Fedora Update for kde-l10n FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kde-l10n_fc14.nasl
2011-04-22	Name : Fedora Update for kdeaccessibility FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeaccessibility_fc14.nasl
2011-04-22	Name : Fedora Update for kdeadmin FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeadmin_fc14.nasl
2011-04-22	Name : Fedora Update for kdeartwork FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeartwork_fc14.nasl
2011-04-22	Name : Fedora Update for kdebase-runtime FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebase-runtime_fc14.nasl
2011-04-22	Name : Fedora Update for kdebase-workspace FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebase-workspace_fc14.nasl
2011-04-22	Name : Fedora Update for kdebase FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebase_fc14.nasl
2011-04-22	Name : Fedora Update for kdebindings FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebindings_fc14.nasl
2011-04-22	Name : Fedora Update for kdeedu FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeedu_fc14.nasl
2011-04-22	Name : Fedora Update for kdegames FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdegames_fc14.nasl
2011-04-22	Name : Fedora Update for kdelibs FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdelibs_fc14.nasl
0000-00-00	Name : Slackware Advisory SSA:2011-101-02 kdelibs File : nvt/esoft_slk_ssa_2011_101_02.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
71876	KDE Konqueror khtml/khtml_part.cpp KHTMLPart::htmlError() Function Error Page... KDE Konqueror contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the URL when it is displayed via the error page upon submission to the 'HTMLPart::htmlError()' function in 'khtml/khtml_part.cpp'. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Description

71876

KDE Konqueror khtml/khtml_part.cpp KHTMLPart::htmlError() Function Error Page...

KDE Konqueror contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the URL when it is displayed via the error page upon submission to the 'HTMLPart::htmlError()' function in 'khtml/khtml_part.cpp'. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0464.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110421_kdelibs_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-06-13	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1110-1.nasl - Type : ACT_GATHER_INFO
2011-05-28	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2011-101-02.nasl - Type : ACT_GATHER_INFO
2011-05-27	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO
2011-05-13	Name : The remote openSUSE host is missing a security update. File : suse_11_2_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO
2011-04-22	Name : The remote Fedora host is missing one or more security updates. File : fedora_2011-5200.nasl - Type : ACT_GATHER_INFO
2011-04-22	Name : The remote Fedora host is missing one or more security updates. File : fedora_2011-5221.nasl - Type : ACT_GATHER_INFO
2011-04-22	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0464.nasl - Type : ACT_GATHER_INFO
2011-04-21	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-075.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:42:12	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	4
CPE ID(s)	23
osvdb(s)	1
Openvas Exploit(s)	46
Nessus® Exploit(s)	12

	Related
4.3	CVE-2011-1168
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)