Date: Sun, 04 Aug 2013 23:47:16 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: XSS in Google Web Toolkit (GWT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/04/2013 10:56 PM, David Jorm wrote: > I note that with the release of Google Web Toolkit (GWT) 2.5.1, a > security flaw has been resolved: > > http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1 > ("Security Fixes") > > The release notes state: Fixed an XSS vulnerability in html files > used by GWTTestCase (patch). These files will only be included in a > GWT app if it depends on the JUnit module. Despite the fix, this is > not recommended. > > The patch is here: > https://code.google.com/p/google-web-toolkit/source/detail?r=11385 > > I have reproduced this flaw and can confirm it is reflected XSS. I > have previously contacted security@...gle asking for CVE IDs for > GWT flaws, but never received a response. Please assign a CVE ID to > this flaw. > > Thanks So according to http://cve.mitre.org/cve/cna.html Google is a CVE Numbering Authority but I can't find a CVE in google (irony?) for this so I guess they missed it. Please use CVE-2013-4204 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR/zxhAAoJEBYNRVNeJnmTgtEQAJ2gmoFcYw9EXIWtQBLkykBq 7GShyEcaxY43Ecm38TEIMElHxXsiX6QoI16O0AzkMi2N0TsKjxp0Lvf7zfU3fhqI +juPu2bqKP+yGRJKcb5RoEUr1QGkvS8e4BBTK/572shziiC7j+hvdYYOR3sFvmQw q8HiLIx/in+MUgB+V9XIOyKk5C8v60C8CQ8EH4oqD8q8YScq/HioaKgrs4GJqCUA tbnHPuah9WBOyS0RstyDPAsDRXVGl081mPlq0fllHq28sArbZo+gB1ZgDMhvVhbv AghVzKYt8px3FLi+MVlSTOGeIrTXtpsTWQ66DKxfYfsj1iNh+T3B/fD4H08c4hqX 46rEUBwGKvdNIcg6+DsHvni/6zXBry8qA9x3xwnfUK0xDhZZ8qXN5uXhPqLCM64N TADtIVy5R0f1pv9SNRUMuKBPs+Pw5kimgnYaM45i1E8ilSxHVX6JKsTukx89DK+0 YK674UeTPVQIelFFG8EnasINjgua2kEEaFWsqMPcLbeFsHZA9AD7GpEC6vilTrQz w8ApJ90Ti1oU0eZ1oMhpcjkgjQaS/ZIwYAkIZnLq9Xi5/jGu6aB0sum4fPd8Fytt QDWdJwfTaWq8pNa4M/wwLJGP89EQFunXfGwLd4iloJEHeDSRbmj7H0lRax4DSxeJ +07h7kydenYwxrVTBUL3 =roNw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ