Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jan 2014 06:49:04 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Dominic Hargreaves <dom@...th.li>
Subject: CVE Request: cross-site scripting vulnerabilities in movable type
 6.0.1, 5.2.9, and 5.161

Hi

A movable type update to 6.0.1, 5.29 and 5.161 fixes cross-site
scripting attacks, from the announcement:

> The Rich Text Editor in previous versions of Movable Type 6 and
> Movable Type 5 are susceptible to cross-site scripting (XSS) attacks.
> A remote attacker can inject JavaScript into a page or entry in a
> Movable Type blog or website. This JavaScript can be executed on the
> client browser when that page or entry is subsequently displayed in
> the Rich Text Editor.
>
> These vulnerabilities were reported by a member of the Movable Type
> community, and were kept confidential until the release of the updated
> versions of Movable Type.

 [0]  http://movabletype.org/news/2013/11/movable_type_601_529_and_5161_released_to_close_security_vul.html

Looking trough the git repository at [1], there is at least [2] which
seems to indicate the fix for the 5.2.x branch (I cannot say tough if
this the complete one).

 [1] https://github.com/movabletype/movabletype
 [2] https://github.com/movabletype/movabletype/commit/c85903b3ee23ea2b4ddf981a75815c737f6f6040

Debian Bugtracker reference is at [3].

 [3] http://bugs.debian.org/734304

Is there enough information to identify the vulnerability and to get a
CVE assigned for this issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ