'Re: [oss-security] CVE request: letodms multiple issues'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: letodms multiple issues
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-08-31 21:45:35
Message-ID: 5041307F.6030509 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/28/2012 12:07 AM, Raphael Geissert wrote:
> On Tuesday 28 August 2012 00:49:51 Kurt Seifried wrote:
>> Welp if someone summarizes it I'll assign CVE's happily =).
> 
> As per EDB-ID: 20759, there are at least the following issues:
> 
>> 1. Reflected XSS in Login Page.
> But in fact it's not just the login page. However, since it's the
> same kind of vulnerability, I'd just assign one for all the out/
> reflected XSS'.
>> 2. Stored XSS in Document Owner/User name (when viewing user
>> document). 3. Stored XS in Calendar.
> Perhaps those two could be covered by only one id.

CWE dumps XSS into one thing mostly
http://cwe.mitre.org/data/definitions/79.html

Please use CVE-2012-4384 for these 3 XSS issues.

>> 4. Change Password CSRF.

Please use CVE-2012-4385 for this issue.

> And this one definitely needs its own id.
> 
> 
> If one is to review the code base, there are probably many more.
> The changes made to the SQL queries are just a hint.
> 
> Cheers,
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQTB/AAoJEBYNRVNeJnmTQI8P/RjFboxG2IYjDQjMsXayM5Mt
sFR1+8xjqBm6Uj+rYWz9vxKk8pz7jSn1+us2j+oSPTpRDtaN4d6N6Senb2yX+det
v99E10wVC9YzWNRZdDuxd3MSFdE+hT8ea31wkTkJ9h6PfdIxC9XReJTlc1g8+vp2
eVBBj/SRxLcg/HP6UaLHhtbZCErkfWoNmGrMJ6mn/bw2k7Xu++8OAC3AIDros7BP
KE4dS53Gz2CDEnAKARRp8vTHpEHznyqHMJmhuQbMgeM0eS8FdwQ5PiiDJ0ZkzMW8
PMSI1GY/X90bDZc0Q7lVcDV3EhKki/uWAoD6JwLPzEWgtEks4jTZC+F3qDGn9+RG
jlxt8Tg1oZleUvrD5m4yP/Kkqx4LBv6/f1/yJcnucLV9Hdybar8C5R1/p2Wmb5qC
lvB/XG+Lq30R9uQXKoo0h5J9pSBV5HNHLUGRvAS7K1W+j6tDVuN4bW+TE6MZlc5G
8MbtqDyb5Olb0skznkvL3AGN56HHk8LDVA/3Mlz2Q4kH5ZQk1T5TJuLDBVXOvadZ
rrpsFoWj7HtftmOsBR2yDp5QyJT7VOmADgDUnrp2Ph6Banc7fmUx5IRBh/a6eVbx
GGAwm9gg60HicbkowrhKYf1V5mq4ekLPb6rSXJSa54knOL9+SQ0yhmzoE+gyy51X
Sa5cbWYRuTux2CVAEMiS
=dn5A
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic