oss-sec mailing list archives
Re: CVE Request Smarty / php-Smarty: XSS in Smarty exception messages
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 19 Sep 2012 20:52:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2012 11:43 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, a cross-site scripting (XSS) flaw was found in the way Smarty sanitized exception messages: [1] http://secunia.com/advisories/50589/ [2] http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt Upstream patch: [3] http://code.google.com/p/smarty-php/source/detail?r=4658 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: Going through the OSS archive from 2012-09 it doesn't seem this has got a CVE identifier yet (but didn't look to posts from previous months).
I checked all CVE's for 2012/2011, this is new. Please use CVE-2012-4437 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQWoTyAAoJEBYNRVNeJnmTfMwP/jB4EoJKog4+DFg1Hn0RgEBE O1AxVy0T3ARaNMB3r1Nyc2bQv+G04x+uqJtGVc+OiEwTiDhDHkuHLakMHZ9NwpvH eHV8SyuIgasIJauLHf1aNp5iKsEmrc1302tBJX96DQF397r6aR33NwkDGvC0n1RO Fwdx/++IKjeKjih5gZPngEm42qes9XXECjQ8/Z6xGoYcm7UAJxdXAeYf427Kb2FK pZHFWPDFNb/uzwAF1hlmVhSzud87n9PyqRATtVn0EwpNhAyRoAQQ0ES9b+7wdg7P qN++F3lpf1ei0fQ/TewIOeuVhX56dHTkALFDaHx7QAo9X7WGNyW6505wJmIm/2cV OG4Z9uzQJV9q3DkuAzNl6olGi6d1E4IDdZoM+jV3A4p3OI3VG4vCGD2okVEeMnlQ LNgaOLOgn963P0YInNQOd2FfpvI41WuzMm0nm4s/9crS72tWsAXYhdujrv7k3R4g RMyRv8ljKZ3OvXHeYieSI3/cdm++Fa3gSLApIQH6BLFC6ParFubk/nHE5XtzURZl J5E60R3EgrwXDSO0foV4MgyBxd5RwkpUzlwQLm+mDLOe7ZQonqZEQToddMH3Ohai jSd8D1GEUUM1W/z+qkOmIK7+GTVluPpYiZNWpgfZPvVBmzlfk4zwa7aZPkZqtSAW H+CjF6SZlZMtGqwiT4F3 =I8Kn -----END PGP SIGNATURE-----
Current thread:
- CVE Request Smarty / php-Smarty: XSS in Smarty exception messages Jan Lieskovsky (Sep 19)
- Re: CVE Request Smarty / php-Smarty: XSS in Smarty exception messages Kurt Seifried (Sep 19)