[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 28 Jun 2015 12:20:52 +0100
From: Matthew Wilkes <matt@...thewwilkes.name>
To: cve-assign@...re.org, matthew@...thewwilkes.co.uk
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Django CMS
> Use CVE-2015-5081 for the CSRF issue.
Thank you!
> The cms.changelist.js and cms.toolbar.js changes include a comment
> "send post request to prevent xss attacks." The "xss" word choice
> might be a mistake. We are not currently assigning a CVE ID for a
> separate XSS issue.
I believe you are correct.
> CVE IDs were not assigned on a per-discoverer basis here because there
> was no available information suggesting that different persons
> independently discovered different CSRF problems.
I don't believe that they were different, having read the public
information. I've asked for clarification from the vendor, though.
If anything, my logic for including the information about credit was to
emphasise that it was one issue reported by two people and make us both
searchable, in case there is confusion if one or both of us write up the
issue in future.
Thanks,
Matt
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
