Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 22 Nov 2011 12:52:22 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, advisories@...itunasecurity.com
Subject: Re: CVE-request: Symphony CMS Multiple Cross-Site
 Scripting and SQL Injection Vulnerabilities (NS-11-008)

On 11/22/2011 04:09 AM, Henri Salo wrote:
> Can we assign CVE-identifiers for these three issues, thank you?
>
> Found from: 2.2.3
> Fixed in: 2.2.4
>
> 1. http://osvdb.org/show/osvdb/76882 / SA46663
> extensions/profiledevkit/content/content.profile.php profile-parameter XSS
>
> 2. http://osvdb.org/show/osvdb/76883 / SA46663
> symphony/lib/core/class.symphony.php filter-parameter XSS

Ok merging these two issues (as per ADT4 specification)  please use
CVE-2011-4340 for this issue.


> 3. http://osvdb.org/show/osvdb/76884 / SA46663
> symphony/content/content.publish.ph filter-parameter SQL injection
> (Different than CVE-2010-3458)

Please use CVE-2011-4341 for this issue.
> References:
> http://seclists.org/bugtraq/2011/Nov/8
> http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/
> http://secunia.com/advisories/46663/
> Advisory Reference: NS-11-008
>
> - Henri Salo


-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.