Re: CVE request: webcalendar before 1.2.5 XSS

[Henri Salo <henri () nerv fi>]

On Sat, Apr 28, 2012 at 11:11:40AM +0200, Hanno Böck wrote:
> Upstream release notes:
> http://sourceforge.net/mailarchive/message.php?msg_id=28915339
>
>  - Fixes for various security vulnerabilities include LFI (local
> file inclusion), XSS (cross site scripting) and others.
>
>
> Further info for the XSS:
> http://seclists.org/bugtraq/2012/Jan/128
>
> The local file inclusion here
> http://www.naked-security.com/nsa/208799.htm
> is said to be CVE-2012-1496, but no info on the CVE database yet.
>
>
> -- 
> Hanno Böck            mail/jabber: hanno () hboeck de
> GPG: BBB51E42         http://www.hboeck.de/

These might be related (at least the second one):

http://osvdb.org/show/osvdb/81329 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1495
http://osvdb.org/show/osvdb/81330 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1496

I can request more details from the vendor and email Mitre so we get those CVEs updated.

- Henri Salo