Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 04 May 2012 10:12:56 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: OpenKM 5.1.7 Privilege Escalation
 / OS Command Execution (XSRF based)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/04/2012 01:32 AM, Henri Salo wrote:
> On Fri, Mar 23, 2012 at 09:09:30AM -0600, Kurt Seifried wrote:
>> On 03/23/2012 04:00 AM, Henri Salo wrote:
>>> Can I get CVE-identifiers for these two security
>>> vulnerabilities?
>>> 
>>> http://osvdb.org/show/osvdb/78105 COMPASS-2012-001 
>>> http://osvdb.org/show/osvdb/78106 COMPASS-2012-002
>>> 
>>> - Henri Salo
>> 
>> I'm going to need some original vendor information (name, site,
>> etc.).
>> 
>> -- Kurt Seifried Red Hat Security Response Team (SRT)
> 
> Hello Kurt and list,
> 
> I received following information from Paco Avila from OpenKM. I
> hope this clarifies things.

Perfect, thanks!

> "OpenKM Permission Weakness Admin Privilege Escalation" 
> COMPASS-2012-001 / OSVDB:78105 / SA47424: Diff: AuthServlet.diff 
> Issue tracker: http://issues.openkm.com/view.php?id=1973

Please use CVE-2012-2315 for this issue.

> "OpenKM Arbitrary Admin User Creation CSRF" COMPASS-2012-002 /
> OSVDB:78106 / SA47420: Diff: scripting.diff Issue tracker:
> http://issues.openkm.com/view.php?id=1750

Please use CVE-2012-2316 for this issue.


> - Henri Salo


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPpAAIAAoJEBYNRVNeJnmTq6MQAKdbrnpD6WqmbRf1gIaD80LF
oJdMFT58ofFlCzslMDbWGv4lmOM+pSDLVrFgV20jFn9h6XqiAD9Kou77PM3XzgsK
tqVzCePwkvLr5grFBTu72UDoiSyJzITtQgLQkijnwovU4TCvUTSMqio3Z2WaCqqR
mTfc9rC67XE76CgxwXxg4TCRw7Dk/Cnh+rpCYAtCPVSxkFwlsf639TMx5zAq/wkF
K7HPDCC5qYcJN6EpmeHCbINTVwtN8LxYuxdabUTAST2FU7WzxV1cxXikexs8SvFl
0B9YL6zEeaQ0AVpnAhEhGOnyEVH6S50FZPIPWJ5+fpC1mBrpD592TDPzf/7B4pVU
0wvq7KNEActSqYhQpxlYmkmHQcKqgtIIPVi/cpkDOE36xyAF/ZAt+fKfYt87tZGw
wqgCxl6h958+/T51JMG2c1pC2+PqwAdIzamFaMk6+vsHBAJSp/QXZ/xP6MgxrOk3
Uonm3eM1s10thvMxLFNjcYT9Gh39a4R/F7uc1sZkJ/ipLIQo5Z6e1ffI3KBotXYn
F78uDUEgrwjQQQByX1d4KRDsb8+xtG34rov9G0lAyOYN+9dXys8tlnRmffBGXPrm
iwDPBsO+/U7zzY5xI7oC+rZk7M17kgMh+l6AXDeFWCpqpKCOESY3Hn9yDmLNRYKG
AA1P7EVOfVxXXxU48/hb
=QQra
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.