Date: Wed, 22 Jun 2016 16:48:55 -0500 From: John Lightsey <john@...nuts.net> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: SQL injection in MovableType xml-rpc interface On Wed, 2016-06-22 at 17:34 -0400, cve-assign@...re.org wrote: > > SixApart just released new versions of MovableType 6.2 and 6.1 to fix an SQL > > injection in the xml-rpc interface. > > > https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html > > This says: > > >> Previous versions, including Movable Type 6.2.4 and 6.1.2, are > >> susceptible to SQL injection attacks via XML-RPC interface. > > >> AFFECTED VERSIONS OF MOVABLE TYPE > > >> Movable Type Pro 6.0.x, 6.1.x, 6.2.x > >> Movable Type Advanced 6.0.x, 6.1.x, 6.2.x > > Use CVE-2016-5742. > > > The vulnerability also affects the older GPLv2 licensed MovableType > > 5.2.13. > > Is there a separate public reference stating that 5.2.13 is affected? > Or, do you mean that you've done your own analysis and concluded > that 5.2.13 has the same vulnerability as 6.x? (Either one seems > fine, and wouldn't affect the number of CVE IDs - we are mostly > interested in linking the CVE to the primary-source reference about > the 5.2.13 vulnerability, if such a reference exists elsewhere.) > I sent the original vulnerability report to SixApart and based my report on the 5.2.13 version of the code. Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.