Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 13:17:13 -0400 (EDT)
Subject: Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1

Hash: SHA1

>>> 3) WP Symposium plugin SQL injection vulnerability
>>> Affected version: 15.1 (and likely all versions below)
>>> Fixed version: Not yet available, author is working on a fix
>>> Plugin URL:  (still disabled by
>>> team)

>> Is this different from

> it's definitely a different vulnerability, as CVE-2014-8810 regards a SQL
> injection vulnerability in ajax/mail_functions.php whereas the problem I
> discovered exists in a forum function.

Use CVE-2015-3325.

> By the way - what would be the best way to publish the vulnerability
> details? A reply to this thread or posting it to Exploit-DB, Packet Storm or
> other mailing lists like Fulldisc or Bugtraq?

MITRE doesn't have any role in establishing the policies for use of
the oss-security list. The types of information you sent earlier --
references with vague changelog entries "Fixed for SQL injection
vulnerabilities" and "Fix SQL injection vulnerabilities" -- are
normally considered valid reports of open-source vulnerabilities,
e.g., a person who is neither the discoverer nor the vendor might
notice such a changelog entry and send it here. However, it is
somewhat unusual for a discoverer to choose a multi-stage approach in
which that level of a vague information is provided in one
oss-security post and full details are sent in a later post.

Our only suggestion for this case is that, given that the multi-stage
approach is already in progress, it would probably be best to
establish a link in at least one direction, e.g., either:

  - your full advisory should include a link to
    so that this previous discussion can be found


  - you should make a later oss-security post in this thread, with a
    link to the public URL(s) for your full advisory, which might
    be in any of the four locations that you proposed

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.