'Re: [oss-security] CVE request: contao before 2.11.4 sql injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: contao before 2.11.4 sql injection
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-08-31 18:29:47
Message-ID: 5041029B.60607 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2012 04:21 AM, Hanno Böck wrote:
> bug tracker info: https://github.com/contao/core/issues/4427
> 
> Upstream changelog: 
> http://contao.org/en/changelog/versions/2.11.html "Fixed a critical
> privilege escalation vulnerability which allowed regular users to
> make themselves administrators (thanks to Fabian Mihailowitsch)
> (see #4427)."
> 
> I think this has no CVE yet, please assign CVE.


Please use CVE-2012-4383 for this issue.

One note/comment, in the github discussion I see:

"I think it is more urgent than the previous two security fixes, but
as you say it only works for backend users (but even if they have no
user module available). I would not thread it as immediate release,
but also not wait a few weeks..."

so it looks like they have other issues that may need CVE's as well?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQQKbAAoJEBYNRVNeJnmTrcoP/1xMq/fkeYggmEj3jnDSORms
u/GEr6oNVe8SYeDe89noVGJ3jxypuCvXG4alu8m+ICYluymi8v+znrjUdSeUX6zY
7pIOd4jCI+lhzq0GFu7kDdkfyLze2LnA0gEK0iypcEjEVQWhyYavB/k2IkanXzhB
zAAuwSrL7A05ZAWGhcfEq6N/LLHF07s4JZiGCl+p5b1FZkWqHd6CbWO57R+aymaS
JA1g/QwqgZjhiJaeyLyczT2Bj6fAk2uPo7/2JJgfX+29S3UoiGKLFpfaI9y8EQ7r
M5ruB7s2c2wfj1hjLw4qzV479H0x+f4+38avBuJe7tLHdOgZkB1CHLAPdZQ5j6zB
s+vi+XPysKztG+/rXeaXW28PajIr2Qk842tPPxzhaz5HUhbO9Wcx38yisfZWGyoa
+DDlMD8h97bJyB02SwsaFhwO64kgSGDil0CyGSm+GJ85Dn3s0NZVQqdZPpGCogoF
XXj75D9AiSHOR51/+Z9HDpI0tO63NQgi5oS04++/Ke9YoKuGv8GHzXW2szLytKHQ
tYb4qV0u6ZhiRmmomi7h1j9Jpf9s1XIhWESXuh6JbhbNqKkRYIcEvU3gXagzpVq/
bcY0LRQJgI8eWXpqGQ4qg9ZQh6nfFydY1xC/hnP43GYOP1mI7YoGfi6LaL30pVmV
HcUAXdR4VMgIdmRHnX7V
=wvPn
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic