oss-security - Re: Need CVEs for joomla, egroupware

Openwall Project		/home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / community lists wiki CVSweb mirrors signatures
bringing security into open environments

This website is powered by Openwall GNU/*/Linux security-enhanced OS

[<prev] [next>] [<thread-prev] [month] [year] [list]

Date: Thu, 27 Mar 2008 19:22:35 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Hanno Böck <hanno@...eck.de>
Subject: Re: Need CVEs for joomla, egroupware

Note all: these CVE's only cover the publicly disclosed issues.  The
non-public ones that Nico requested will be handled separately in the
normal CVE reservation process.

======================================================
Name: CVE-2008-1502
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1502
Reference: MISC:http://www.egroupware.org/viewvc/branches/1.4/phpgwapi/inc/class.kses.inc.php?r1=23625&r2=25110&pathrev=25110
Reference: CONFIRM:http://www.egroupware.org/changelog
Reference: SECUNIA:29491
Reference: URL:http://secunia.com/advisories/29491

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in
eGroupWare before 1.4.003 allows remote attackers to bypass HTML
filtering and conduct cross-site scripting (XSS) attacks via a string
containing crafted URL protocols.

======================================================
Name: CVE-2008-1533
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1533
Reference: CONFIRM:http://www.joomla.org/content/view/4560/1/
Reference: SECUNIA:28861
Reference: URL:http://secunia.com/advisories/28861

Unspecified vulnerability in the XML-RPC Blogger API plugin in Joomla!
1.5 allows remote attackers to perform unauthorized article operations
on articles via unknown vectors.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.