Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 31 Aug 2012 12:29:47 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hanno Böck <hanno@...eck.de>
Subject: Re: CVE request: contao before 2.11.4 sql injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2012 04:21 AM, Hanno Böck wrote:
> bug tracker info: https://github.com/contao/core/issues/4427
> 
> Upstream changelog: 
> http://contao.org/en/changelog/versions/2.11.html "Fixed a critical
> privilege escalation vulnerability which allowed regular users to
> make themselves administrators (thanks to Fabian Mihailowitsch)
> (see #4427)."
> 
> I think this has no CVE yet, please assign CVE.


Please use CVE-2012-4383 for this issue.

One note/comment, in the github discussion I see:

"I think it is more urgent than the previous two security fixes, but
as you say it only works for backend users (but even if they have no
user module available). I would not thread it as immediate release,
but also not wait a few weeks..."

so it looks like they have other issues that may need CVE's as well?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQQKbAAoJEBYNRVNeJnmTrcoP/1xMq/fkeYggmEj3jnDSORms
u/GEr6oNVe8SYeDe89noVGJ3jxypuCvXG4alu8m+ICYluymi8v+znrjUdSeUX6zY
7pIOd4jCI+lhzq0GFu7kDdkfyLze2LnA0gEK0iypcEjEVQWhyYavB/k2IkanXzhB
zAAuwSrL7A05ZAWGhcfEq6N/LLHF07s4JZiGCl+p5b1FZkWqHd6CbWO57R+aymaS
JA1g/QwqgZjhiJaeyLyczT2Bj6fAk2uPo7/2JJgfX+29S3UoiGKLFpfaI9y8EQ7r
M5ruB7s2c2wfj1hjLw4qzV479H0x+f4+38avBuJe7tLHdOgZkB1CHLAPdZQ5j6zB
s+vi+XPysKztG+/rXeaXW28PajIr2Qk842tPPxzhaz5HUhbO9Wcx38yisfZWGyoa
+DDlMD8h97bJyB02SwsaFhwO64kgSGDil0CyGSm+GJ85Dn3s0NZVQqdZPpGCogoF
XXj75D9AiSHOR51/+Z9HDpI0tO63NQgi5oS04++/Ke9YoKuGv8GHzXW2szLytKHQ
tYb4qV0u6ZhiRmmomi7h1j9Jpf9s1XIhWESXuh6JbhbNqKkRYIcEvU3gXagzpVq/
bcY0LRQJgI8eWXpqGQ4qg9ZQh6nfFydY1xC/hnP43GYOP1mI7YoGfi6LaL30pVmV
HcUAXdR4VMgIdmRHnX7V
=wvPn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.