Date: Tue, 22 Nov 2011 12:52:22 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, advisories@...itunasecurity.com Subject: Re: CVE-request: Symphony CMS Multiple Cross-Site Scripting and SQL Injection Vulnerabilities (NS-11-008) On 11/22/2011 04:09 AM, Henri Salo wrote: > Can we assign CVE-identifiers for these three issues, thank you? > > Found from: 2.2.3 > Fixed in: 2.2.4 > > 1. http://osvdb.org/show/osvdb/76882 / SA46663 > extensions/profiledevkit/content/content.profile.php profile-parameter XSS > > 2. http://osvdb.org/show/osvdb/76883 / SA46663 > symphony/lib/core/class.symphony.php filter-parameter XSS Ok merging these two issues (as per ADT4 specification) please use CVE-2011-4340 for this issue. > 3. http://osvdb.org/show/osvdb/76884 / SA46663 > symphony/content/content.publish.ph filter-parameter SQL injection > (Different than CVE-2010-3458) Please use CVE-2011-4341 for this issue. > References: > http://seclists.org/bugtraq/2011/Nov/8 > http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/ > http://secunia.com/advisories/46663/ > Advisory Reference: NS-11-008 > > - Henri Salo -- -Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ