Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 Jan 2014 13:25:41 +0000
From: Pedro Ribeiro <>
Cc: Steve Kenow <>, ImpressCMS Security <>
Subject: CVE request: impressCMS 1.3.5 arbitrary file deletion and XSS


I have discovered two vulnerabilities in ImpressCMS. These have been fixed
in the new 1.3.6 version, which you can get at

One is an arbitrary file deletion and the other is two cross site scripting
Note that I was unable to exploit the XSS issues due to the inbuilt
protection module, so I'm not sure if it qualifies for a CVE.

The tickets containing the information are available here

Unfortunately I can't paste the full report in this email as the Android
Gmail client will mangle it. Please see the text file at
more details.

Thanks in advance,  and thanks to the ImpressCMS team for being so

Pedro Ribeiro
Agile Information Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.