Date: Tue, 1 Oct 2013 19:23:28 -0500 (CDT) From: security curmudgeon <jericho@...rition.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities From: Kurt Seifried <kseifried () redhat com> Date: Tue, 01 Oct 2013 10:07:22 -0600 Please use CVE-2013-4395 for the XSS vuln. -- Which XSS vuln? =) That thread was messy, but Henri and others appear to have identified and/or confirmed four different ones: /Sources/ManageServer.php Multiple XSS http://seclists.org/oss-sec/2013/q3/607 http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_2.0.5.tar.gz;smf_version=2.0.4 http://www.simplemachines.org/community/index.php?topic=509417 http://seclists.org/oss-sec/2013/q3/642 index.php admin Action board_name Parameter Stored XSS http://seclists.org/oss-sec/2013/q3/642 http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html index.php pm Action sa Parameter Stored XSS http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html http://seclists.org/oss-sec/2013/q3/642 index.php admin Action desc Parameter Stored XSS http://seclists.org/oss-sec/2013/q3/642 That is what I took away from the entire thread at least. Can someone confirm this is correct, and can you confirm the CVE assignment please Kurt? Brian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.