Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Dec 2012 12:42:13 +0200
From: Henri Salo <>
Subject: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS


I tried to reproduce CVE-2012-5903 SMF index.php scheduled-parameter XSS without luck. Does someone have a working payload for this? References:

Until someone provides a working PoC I dispute this issue. SMF hasn't replied to my emails about this. Please note there is several comments[1][2] in forums about this too.


It's not a security vulnerability if attacker already has administrator access to the application. Should we REJECT CVE-2012-5903?

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.