Language Selection

English French German Italian Portuguese Spanish

Flaws Found in MySQL Tracking System

Filed under

Flaws have been found in MySQL Eventum 1.5.5 and prior that allow malicious users to conduct cross-site scripting and SQL injection attacks.

Eventum is an issue-tracking system that can be used by support departments to track incoming technical support requests or by a software development team to organize tasks and bugs. According to MySQL AB's site, Eventum is used by the MySQL AB Technical Support team "to dramatically improve" its response times.

One of the flaws, reported on Monday by security alerts aggregator Secunia Inc., has to do with the way input is passed to the "id" parameter in "view.php," the "release" parameter in "list.php" and the "F" parameter in "get_jsrs_data.php."

According to Secunia's report, input is not properly sanitized before being returned to users. This can be used to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Secunia's report goes on to say that certain input passed to the release, report and authentication classes is also not being properly sanitized before being used in a SQL query. This can be used to manipulate the queries by injecting arbitrary SQL code.

Secunia rates the bugs as moderately critical, but the researcher who originally found them-James Bercegay of GulfTech Security Research Team-reported that they're highly exploitable and that they should be patched immediately.

The flaws can be found in versions 1.5.5 and prior. Eventum users should update to Version 1.6.0, which was released on Saturday. Click here for the new version's release notes.

By Lisa Vaas

More in Tux Machines

Ubuntu 16.10: Convergence is in a holding pattern; consistency’s here instead

There's plenty in Ubuntu 16.10 that makes it worth the upgrade, though nothing about Canonical's latest release is groundbreaking. This less experimental but worthwhile update continues to refine and bug-fix what at this point has become the fastest, stablest, least-likely-to-completely-change-between-point releases of the three major "modern" Linux desktops. Still, while the Unity 7.5 desktop offers stability and speed today, it's not long for this world. Ubuntu 16.10 is the seventh release since the fabled Unity 8 and its accompanying Mir display server were announced. Yet in Ubuntu 16.10, there's still no Unity 8 nor Mir. Read more

Red Hat named as visionary in Gartner's 2016 Magic Quadrant

Red Hat, Inc., the world's leading provider of open source solutions, on Thursday announced that Gartner, Inc. has positioned Red Hat in the "Visionaries" quadrant of Gartner's October 2016 Magic Quadrant for Distributed File Systems and Object Storage for Red Hat Ceph Storage and Red Hat Gluster Storage. Read more

Qt Creator 4.2 Beta released

Qt SCXML is a new module in Qt that allows you to create state machines from State Chart XML and embed them into Qt C++ and Qt Quick applications (Overview). It was released as Technical Preview in Qt 5.7 and will be released fully supported with Qt 5.8. Qt Creator 4.2 now supplements the module by offering a graphical editor for SCXML (experimental). It features editing states and sub-states, transitions, events, and all kinds of properties. The editor is experimental and the plugin is not loaded by default. Turn it on in Help > About Plugins (Qt Creator > About Plugins on macOS) to try it. Read more Also: Qt Creator 4.2 Beta Released

6 Best Linux Desktop Environments [Part - 2]

Linux has been developing at a good pace through this last years and with development comes better support for different hardware regarding support for proprietary drivers for video cards, better file systems, more choices in what operating system to use and one of the things that has it importance is distros graphical environment. Read