[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE Request: Django CMS
From:       Matthew Wilkes <matt () matthewwilkes ! name>
Date:       2015-06-28 11:20:52
Message-ID: 558FD894.7060901 () matthewwilkes ! name
[Download RAW message or body]

> Use CVE-2015-5081 for the CSRF issue.

Thank you!

> The cms.changelist.js and cms.toolbar.js changes include a comment
> "send post request to prevent xss attacks." The "xss" word choice
> might be a mistake. We are not currently assigning a CVE ID for a
> separate XSS issue.

I believe you are correct.

> CVE IDs were not assigned on a per-discoverer basis here because there
> was no available information suggesting that different persons
> independently discovered different CSRF problems.

I don't believe that they were different, having read the public 
information. I've asked for clarification from the vendor, though.

If anything, my logic for including the information about credit was to 
emphasise that it was one issue reported by two people and make us both 
searchable, in case there is confusion if one or both of us write up the 
issue in future.

Thanks,

Matt
[prev in list] [next in list] [prev in thread] [next in thread]