{"id":"UBUNTU-CVE-2018-1000528","details":"GONICUS GOsa version before commit 56070d6289d47ba3f5918885954dcceb75606001 contains a Cross Site Scripting (XSS) vulnerability in change password form (html/password.php, #308) that can result in injection of arbitrary web script or HTML. This attack appear to be exploitable via the victim must open a specially crafted web page. This vulnerability appears to have been fixed in after commit 56070d6289d47ba3f5918885954dcceb75606001.","modified":"2026-04-22T11:39:27.274952Z","published":"2018-06-26T16:29:00Z","related":["USN-4609-1"],"upstream":["CVE-2018-1000528"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-1000528"},{"type":"REPORT","url":"https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001"},{"type":"REPORT","url":"https://github.com/gosa-project/gosa-core/issues/14"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4609-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-1000528"}],"affected":[{"package":{"name":"gosa","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/gosa@2.7.4+reloaded2-9ubuntu1.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.4+reloaded2-9ubuntu1.1"}]}],"versions":["2.7.4+reloaded2-2","2.7.4+reloaded2-5","2.7.4+reloaded2-6","2.7.4+reloaded2-7","2.7.4+reloaded2-8","2.7.4+reloaded2-9","2.7.4+reloaded2-9ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-desktop"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-help-de"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-help-en"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-help-fr"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-help-nl"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-connectivity"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-dhcp"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-dhcp-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-dns"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-dns-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-fai"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-fai-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-gofax"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-gofon"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-goto"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-kolab"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-kolab-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-ldapmanager"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-mail"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-mit-krb5"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-mit-krb5-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-nagios"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-nagios-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-netatalk"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-opengroupware"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-openxchange"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-openxchange-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-opsi"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-phpgw"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-phpgw-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-phpscheduleit"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-phpscheduleit-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-pptp"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-pptp-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-pureftpd"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-pureftpd-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-rolemanagement"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-rsyslog"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-samba"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-scalix"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-squid"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-ssh"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-ssh-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-sudo"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-sudo-schema"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-systems"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-uw-imap"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-plugin-webdav"},{"binary_version":"2.7.4+reloaded2-9ubuntu1.1","binary_name":"gosa-schema"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000528.json"}},{"package":{"name":"gosa","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/gosa@2.7.4+reloaded3-3?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.4+reloaded2-13ubuntu1","2.7.4+reloaded3-2ubuntu1","2.7.4+reloaded3-3"],"ecosystem_specific":{"binaries":[{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-desktop"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-help-de"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-help-en"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-help-fr"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-help-nl"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-connectivity"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-dhcp"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-dhcp-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-dns"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-dns-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-gofax"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-gofon"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-goto"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-kolab"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-kolab-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-ldapmanager"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-mail"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-mit-krb5"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-mit-krb5-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-nagios"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-nagios-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-netatalk"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-opengroupware"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-openxchange"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-openxchange-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-phpgw"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-phpgw-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-phpscheduleit"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-phpscheduleit-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-pptp"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-pptp-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-pureftpd"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-pureftpd-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-rolemanagement"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-rsyslog"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-samba"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-scalix"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-squid"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-ssh"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-ssh-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-sudo"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-sudo-schema"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-systems"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-uw-imap"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-plugin-webdav"},{"binary_version":"2.7.4+reloaded3-3","binary_name":"gosa-schema"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000528.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}