Description
Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
References (5)
Core 5
Core References
Issue Tracking, Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/releases
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/24e39e1e930097b8793a03b8864d3c484ede546b
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/bc8a6fbd3128cf5ef27d808f6c6ba869fdc2262b
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/tine20/Tine-2.0-Open-Source-Groupware-and-CRM/commit/146c5aaafd826c1c8990333c393bff6f64c90786
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/09/28/11
Scores
CVSS v3
5.4
EPSS
0.0032
EPSS Percentile
55.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
tine20/tine_2.0
< 2017.08.3
Published
Sep 30, 2017
Tracked Since
Feb 18, 2026