Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 May 2012 10:32:41 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-request: OpenKM 5.1.7 Privilege Escalation
 / OS Command Execution (XSRF based)

On Fri, Mar 23, 2012 at 09:09:30AM -0600, Kurt Seifried wrote:
> On 03/23/2012 04:00 AM, Henri Salo wrote:
> > Can I get CVE-identifiers for these two security vulnerabilities?
> > 
> > http://osvdb.org/show/osvdb/78105 COMPASS-2012-001
> > http://osvdb.org/show/osvdb/78106 COMPASS-2012-002
> > 
> > - Henri Salo
> 
> I'm going to need some original vendor information (name, site, etc.).
> 
> -- 
> Kurt Seifried Red Hat Security Response Team (SRT)

Hello Kurt and list,

I received following information from Paco Avila from OpenKM. I hope this clarifies things.

"OpenKM Permission Weakness Admin Privilege Escalation"
COMPASS-2012-001 / OSVDB:78105 / SA47424:
Diff: AuthServlet.diff
Issue tracker: http://issues.openkm.com/view.php?id=1973

"OpenKM Arbitrary Admin User Creation CSRF"
COMPASS-2012-002 / OSVDB:78106 / SA47420:
Diff: scripting.diff
Issue tracker: http://issues.openkm.com/view.php?id=1750

- Henri Salo

View attachment "AuthServlet.diff" of type "text/x-diff" (8743 bytes)

View attachment "scripting.diff" of type "text/x-diff" (3551 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ