oss-sec mailing list archives
Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo
From: Raphael Geissert <geissert () debian org>
Date: Wed, 12 Jan 2011 21:01:09 -0600
Josh Bressers wrote: [...]
Steve, can MITRE take the one below. It's quite large and I don't have time to do it right now. Thanks.piwigo: a1) CSRF a2) SQL injection a3) stored XSS http://secunia.com/advisories/41365/ http://piwigo.org/releases/2.1.3 http://www.exploit-db.com/exploits/14973/ (the issues mentioned by the exploit-db entry appear to be the same that were fixed in 2.1.3) b) search.php SQL injection http://secunia.com/advisories/38305/ http://piwigo.org/releases/2.0.8 c) CSRF in the admin panel: http://secunia.com/advisories/37681/ http://www.exploit-db.com/exploits/10417 (the exploit-db entry details two other issues, but are "admin-only" -- feel free to assign or ignore those.)
Ping. Not urgent, but I saw them again on the list of issues without ids on our tracker. Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- Re: CVE requests: IO::Socket::SSL, cakephp, collectd, gnash, ocrodjvu, hypermail, libcloud, piwigo Raphael Geissert (Jan 13)