Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun,  6 Mar 2016 22:04:49 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Dotclear: XSS vulnerability in comments managment page and media exclusion control enforcement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Dotclear, a web publishing software, fixed a cross-site scripting
> vulnerability in 2.8.2. Additionally the media exlusion control in the
> media manager was furhter enforced:
> 
> https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2

> The XSS vulnerability was fixed with
> 
> https://hg.dotclear.org/dotclear/rev/65e65154dadf
> 
> admin/comments.php
> -  form::hidden(array('author'),preg_replace('/%/','%%',$author)).
> +  form::hidden(array('author'),html::escapeHTML(preg_replace('/%/','%%',$author))).

Use CVE-2015-8831.


> The second mentioned issue was addressed with
> 
> https://hg.dotclear.org/dotclear/rev/198580bc3d80
> 
> inc/core/class.dc.core.php
> -  array('media_exclusion','string','/\.php[0-9]*$/i',
> +  array('media_exclusion','string','/\.(phps?|pht(ml)?|phl)[0-9]*$/i',

Use CVE-2015-8832.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW3O4DAAoJEL54rhJi8gl5MnsQALSILA8PaHLFRRQbrXcz43e/
PGGgyWrqqZQY5KvfLkDmcTSR7D9JuIFfQa0jU6I88h62PZ0jk8nWwrWdozOchgZW
fyO2Zbdh3BMO3RW+hMnTpKVq66WvSFSs1vFIAG6y44RY7ddWCjVLWYw1r7MJnnNW
gzyqH4QrMUFMr3eki8rWOWXX4gCZ104D25eChC406M08QGBO77xSYn5llK68CraS
2HRFuVtUleHMgS/JkBS6VWd2dBYNQPaHtIUM+THvDePh9HV+J4jrS24qc6cDEsHR
uFP/8oAn47ob8sJeSfdZp4Rqq8r12aOFsHReCQa69N/gaXtLdEFAuKJSx+yCClAR
v0XcmlWUeum/3zr+/vTBXj+K+IESHPOWZl6YxuW125c1KgSba2rkeuORT/nq4R1l
vraRd479fpA22+s5ii81EjxtEgGMKT/woHdxlJRgJeBCtiuXRYcoanS4QmNfw00C
wasOMNYaaYwJtBOMDEgCLFZlvO3/7EuWPFZidoKTGc58o4fwz3TXEG7Ez8rVL9EF
CaIzjl9wx5MLaLQhj6G8SgM3+mtDPN7/yLfDj0E7nhSsY9Sr98NXdlBIvrEbkNGK
FBOFE/xQxzNKSDQI7+p+7pQ5drpIK/53GwcgVw4dbepNgJNn6DQVzDhiN92o+Kwx
vMgmqdP5oqnZIf7Ya+V7
=0vja
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ