Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun,  6 Mar 2016 22:04:49 -0500 (EST)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Dotclear: XSS vulnerability in comments managment page and media exclusion control enforcement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Dotclear, a web publishing software, fixed a cross-site scripting
> vulnerability in 2.8.2. Additionally the media exlusion control in the
> media manager was furhter enforced:
> 
> https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2

> The XSS vulnerability was fixed with
> 
> https://hg.dotclear.org/dotclear/rev/65e65154dadf
> 
> admin/comments.php
> -  form::hidden(array('author'),preg_replace('/%/','%%',$author)).
> +  form::hidden(array('author'),html::escapeHTML(preg_replace('/%/','%%',$author))).

Use CVE-2015-8831.


> The second mentioned issue was addressed with
> 
> https://hg.dotclear.org/dotclear/rev/198580bc3d80
> 
> inc/core/class.dc.core.php
> -  array('media_exclusion','string','/\.php[0-9]*$/i',
> +  array('media_exclusion','string','/\.(phps?|pht(ml)?|phl)[0-9]*$/i',

Use CVE-2015-8832.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW3O4DAAoJEL54rhJi8gl5MnsQALSILA8PaHLFRRQbrXcz43e/
PGGgyWrqqZQY5KvfLkDmcTSR7D9JuIFfQa0jU6I88h62PZ0jk8nWwrWdozOchgZW
fyO2Zbdh3BMO3RW+hMnTpKVq66WvSFSs1vFIAG6y44RY7ddWCjVLWYw1r7MJnnNW
gzyqH4QrMUFMr3eki8rWOWXX4gCZ104D25eChC406M08QGBO77xSYn5llK68CraS
2HRFuVtUleHMgS/JkBS6VWd2dBYNQPaHtIUM+THvDePh9HV+J4jrS24qc6cDEsHR
uFP/8oAn47ob8sJeSfdZp4Rqq8r12aOFsHReCQa69N/gaXtLdEFAuKJSx+yCClAR
v0XcmlWUeum/3zr+/vTBXj+K+IESHPOWZl6YxuW125c1KgSba2rkeuORT/nq4R1l
vraRd479fpA22+s5ii81EjxtEgGMKT/woHdxlJRgJeBCtiuXRYcoanS4QmNfw00C
wasOMNYaaYwJtBOMDEgCLFZlvO3/7EuWPFZidoKTGc58o4fwz3TXEG7Ez8rVL9EF
CaIzjl9wx5MLaLQhj6G8SgM3+mtDPN7/yLfDj0E7nhSsY9Sr98NXdlBIvrEbkNGK
FBOFE/xQxzNKSDQI7+p+7pQ5drpIK/53GwcgVw4dbepNgJNn6DQVzDhiN92o+Kwx
vMgmqdP5oqnZIf7Ya+V7
=0vja
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.