Date: Sun, 25 Dec 2011 12:16:43 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, security@...mla.org Subject: Re: CVE-request for three 2009 Joomla issues (second part) On 12/25/2011 07:37 AM, Henri Salo wrote: > Can I get three CVEs assigned for these issues: > > 1) "Input passed via the "HTTP_REFERER" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site." > http://developer.joomla.org/security/news/298-20090604-core-frontend-xss-httpreferer-not-properly-filtered.html > http://osvdb.org/show/osvdb/55589 Please use CVE-2011-4909 for this issue. > > 2) "Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site." > http://developer.joomla.org/security/news/299-20090605-core-frontend-xss-phpself-not-properly-filtered.html > http://osvdb.org/show/osvdb/55590 Please use CVE-2011-4910 for this issue. > > 3) "A security issue exists due to certain files missing the check for JEXEC, which can lead to the disclosure of path information." > http://developer.joomla.org/security/news/300-20090606-core-missing-jexec-check.html (different than 302-20090722-core-missing-jexec-check.html) > http://osvdb.org/show/osvdb/55591 Please use CVE-2011-4911 for this issue. > Secunia advisory: http://secunia.com/advisories/35668/ > > - Henri Salo -- -Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ