Date: Thu, 16 Apr 2015 13:17:13 -0400 (EDT) From: cve-assign@...re.org To: hannes.trunde@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> 3) WP Symposium plugin SQL injection vulnerability >>> Affected version: 15.1 (and likely all versions below) >>> Fixed version: Not yet available, author is working on a fix >>> Plugin URL: https://wordpress.org/plugins/wp-symposium/ (still disabled by >>> WordPress.org team) >> Is this different from >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8810 > it's definitely a different vulnerability, as CVE-2014-8810 regards a SQL > injection vulnerability in ajax/mail_functions.php whereas the problem I > discovered exists in a forum function. Use CVE-2015-3325. > By the way - what would be the best way to publish the vulnerability > details? A reply to this thread or posting it to Exploit-DB, Packet Storm or > other mailing lists like Fulldisc or Bugtraq? MITRE doesn't have any role in establishing the policies for use of the oss-security list. The types of information you sent earlier -- references with vague changelog entries "Fixed for SQL injection vulnerabilities" and "Fix SQL injection vulnerabilities" -- are normally considered valid reports of open-source vulnerabilities, e.g., a person who is neither the discoverer nor the vendor might notice such a changelog entry and send it here. However, it is somewhat unusual for a discoverer to choose a multi-stage approach in which that level of a vague information is provided in one oss-security post and full details are sent in a later post. Our only suggestion for this case is that, given that the multi-stage approach is already in progress, it would probably be best to establish a link in at least one direction, e.g., either: - your full advisory should include a link to http://openwall.com/lists/oss-security/2015/04/14/5 so that this previous discussion can be found or - you should make a later oss-security post in this thread, with a link to the public URL(s) for your full advisory, which might be in any of the four locations that you proposed - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVL+4XAAoJEKllVAevmvmsSRIIAL1P3iPwL+r5WzeumB+X11Ry 4KnNwj/qDbXYHQNHlBov9cG5vwPfk/Z7GR3lJW67Q1Ow9HBthZ9HWRVBytM8far9 aMls9vZ3evFkPYLDjmRsrcHSX7uFC2E7FPnHdhD+ee4dYQYebz5655EFQHvcc3hS AwqTZBGva7qi/kRz+O2UqFsgOIUivhtx84BFW7NqaLSARwcXpBIXF4hc1mPiA1cQ u2IKsn+Pnxi8cgCpQtvK4crMPhDznQiCzIIHoynqylgInHNiwL4AjgDYQrJQe6un SAr2stOjdAsNQeF2OA0m4ajF46v5Kls2tfvbDwmlIrq8xieN3+e9OY8oNf4xl5s= =5gid -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.