[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Jara 1.6 SQL injection and XSS
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-10-31 16:26:09
Message-ID: 4EAECC21.9010105 () redhat ! com
[Download RAW message or body]

On 10/31/2011 10:01 AM, Kurt Seifried wrote:
> On 10/30/2011 04:48 AM, Henri Salo wrote:
>> Can I get CVE-identifiers for these issues:
>>
>> SQL injection: http://seclists.org/fulldisclosure/2011/Oct/767 (http://seclists.org/bugtraq/2011/Oct/201)
>> Bug report to vendor: https://sourceforge.net/tracker/?func=detail&aid=3428075&group_id=294500&atid=1243901
>>
Please use CVE-2011-4094 for the SQL injection issue.
>> XSS: http://packetstormsecurity.org/files/106114/jara-sql.txt
>> Bug report to vendor: https://sourceforge.net/tracker/?func=detail&aid=3430384&group_id=294500&atid=1243901
>>
> I assume here you are referring to the comment:
>
> "http://localhost/jara/search.php?term=<script>alert('Faille XSS')</script>"
>
Please use CVE-2011-4095 for the XSS issue.
>> No vendor reply. No fix.
>>
>> Best regards,
>> Henri Salo


-- 

-Kurt Seifried / Red Hat Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]