Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 28 Jun 2015 06:55:07 -0400 (EDT)
From: cve-assign@...re.org
To: matthew@...thewwilkes.co.uk
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Django CMS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> a CSRF issue around publishing of draft changes
> 
> http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/
> https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a

Use CVE-2015-5081 for the CSRF issue.

The cms.changelist.js and cms.toolbar.js changes include a comment
"send post request to prevent xss attacks." The "xss" word choice
might be a mistake. We are not currently assigning a CVE ID for a
separate XSS issue.

> Sylvain Fankhauser of L//P and Matthew Wilkes of The Code Distillery,
> who discovered and privately demonstrated to the django CMS core
> developers an important CSRF vulnerability and contacted us through
> the documented channels.

CVE IDs were not assigned on a per-discoverer basis here because there
was no available information suggesting that different persons
independently discovered different CSRF problems.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVj9ICAAoJEKllVAevmvmsdu4H/1c3jL6XKKu20IXZe50bHo3q
LIqJQ5uIfYR3K1ZwO2UIP4GYQHfbnJw7sSMnijAeEqkKXOdZLNwyVXM8od20YR2x
axSLTHjl6Wygxn+z+inLf5pRNZiF4q+s4U+h0KXUIbJN6VDtSYkY5f0axh4P29sv
JwTmVzL6+WWEiJ24gRY8uB6awhoFCFJ+62BCqNSnBoa81rt6mwMIMO4z4deKJM5Y
p8K0jSeYJF8HHuhIGCBFUQ02jC8arlawuwnsyjnjFDOFSbLMrhuwVx7yF5Ut+Z8P
nNl38ABeqm03r6dRp1Fu81itEhH3Gw3EGXbDyr8Ivbk2TQ7L4bntdxnAPPOb8TU=
=3AtE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.