Date: Wed, 22 Jun 2016 16:48:55 -0500 From: John Lightsey <john@...nuts.net> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: SQL injection in MovableType xml-rpc interface On Wed, 2016-06-22 at 17:34 -0400, cve-assign@...re.org wrote: > > SixApart just released new versions of MovableType 6.2 and 6.1 to fix an SQL > > injection in the xml-rpc interface. > > > https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html > > This says: > > >> Previous versions, including Movable Type 6.2.4 and 6.1.2, are > >> susceptible to SQL injection attacks via XML-RPC interface. > > >> AFFECTED VERSIONS OF MOVABLE TYPE > > >> Movable Type Pro 6.0.x, 6.1.x, 6.2.x > >> Movable Type Advanced 6.0.x, 6.1.x, 6.2.x > > Use CVE-2016-5742. > > > The vulnerability also affects the older GPLv2 licensed MovableType > > 5.2.13. > > Is there a separate public reference stating that 5.2.13 is affected? > Or, do you mean that you've done your own analysis and concluded > that 5.2.13 has the same vulnerability as 6.x? (Either one seems > fine, and wouldn't affect the number of CVE IDs - we are mostly > interested in linking the CVE to the primary-source reference about > the 5.2.13 vulnerability, if such a reference exists elsewhere.) > I sent the original vulnerability report to SixApart and based my report on the 5.2.13 version of the code. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ