Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 May 2012 10:32:41 +0300
From: Henri Salo <>
Subject: Re: CVE-request: OpenKM 5.1.7 Privilege Escalation
 / OS Command Execution (XSRF based)

On Fri, Mar 23, 2012 at 09:09:30AM -0600, Kurt Seifried wrote:
> On 03/23/2012 04:00 AM, Henri Salo wrote:
> > Can I get CVE-identifiers for these two security vulnerabilities?
> > 
> > COMPASS-2012-001
> > COMPASS-2012-002
> > 
> > - Henri Salo
> I'm going to need some original vendor information (name, site, etc.).
> -- 
> Kurt Seifried Red Hat Security Response Team (SRT)

Hello Kurt and list,

I received following information from Paco Avila from OpenKM. I hope this clarifies things.

"OpenKM Permission Weakness Admin Privilege Escalation"
COMPASS-2012-001 / OSVDB:78105 / SA47424:
Diff: AuthServlet.diff
Issue tracker:

"OpenKM Arbitrary Admin User Creation CSRF"
COMPASS-2012-002 / OSVDB:78106 / SA47420:
Diff: scripting.diff
Issue tracker:

- Henri Salo

View attachment "AuthServlet.diff" of type "text/x-diff" (8743 bytes)

View attachment "scripting.diff" of type "text/x-diff" (3551 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ