'Re: [oss-security] CVE Request Smarty / php-Smarty: XSS in Smarty exception messages'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request Smarty / php-Smarty: XSS in Smarty exception messages
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-09-20 2:52:34
Message-ID: 505A84F2.3020103 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 11:43 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a cross-site scripting (XSS) flaw was found in the way Smarty 
> sanitized exception messages: [1]
> http://secunia.com/advisories/50589/ [2]
> http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt
>
>  Upstream patch: [3]
> http://code.google.com/p/smarty-php/source/detail?r=4658
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> P.S.: Going through the OSS archive from 2012-09 it doesn't seem 
> this has got a CVE identifier yet (but didn't look to posts from
> previous months).

I checked all CVE's for 2012/2011, this is new.

Please use CVE-2012-4437 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQWoTyAAoJEBYNRVNeJnmTfMwP/jB4EoJKog4+DFg1Hn0RgEBE
O1AxVy0T3ARaNMB3r1Nyc2bQv+G04x+uqJtGVc+OiEwTiDhDHkuHLakMHZ9NwpvH
eHV8SyuIgasIJauLHf1aNp5iKsEmrc1302tBJX96DQF397r6aR33NwkDGvC0n1RO
Fwdx/++IKjeKjih5gZPngEm42qes9XXECjQ8/Z6xGoYcm7UAJxdXAeYf427Kb2FK
pZHFWPDFNb/uzwAF1hlmVhSzud87n9PyqRATtVn0EwpNhAyRoAQQ0ES9b+7wdg7P
qN++F3lpf1ei0fQ/TewIOeuVhX56dHTkALFDaHx7QAo9X7WGNyW6505wJmIm/2cV
OG4Z9uzQJV9q3DkuAzNl6olGi6d1E4IDdZoM+jV3A4p3OI3VG4vCGD2okVEeMnlQ
LNgaOLOgn963P0YInNQOd2FfpvI41WuzMm0nm4s/9crS72tWsAXYhdujrv7k3R4g
RMyRv8ljKZ3OvXHeYieSI3/cdm++Fa3gSLApIQH6BLFC6ParFubk/nHE5XtzURZl
J5E60R3EgrwXDSO0foV4MgyBxd5RwkpUzlwQLm+mDLOe7ZQonqZEQToddMH3Ohai
jSd8D1GEUUM1W/z+qkOmIK7+GTVluPpYiZNWpgfZPvVBmzlfk4zwa7aZPkZqtSAW
H+CjF6SZlZMtGqwiT4F3
=I8Kn
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic