oss-sec mailing list archives

Re: CVE id request: libjs-swfupload

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 16 Jul 2012 20:48:41 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2012 01:07 PM, Nico Golde wrote:

Hi, * Kurt Seifried <kseifried () redhat com> [2012-07-16 20:32]:

On 07/16/2012 12:17 PM, Nico Golde wrote:

Hi, there is an XSS issue in libjs-swfupload. Can we get a CVE
id for this?

Details: 
https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/

http://code.google.com/p/swfupload/issues/detail?id=376

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681323


There also appears to be a CSRF vulnerability. Is there a reason
for only mentioning the XSS?


The CSRF is for pupload which we don't ship and I haven't looked
at.

Cheers Nico


It's open source though, with the rest of it right?

Public service announcement/request:

When requesting CVE's it would be nice if people not only request
CVE's for the specific bits in an update/etc. they care about, but for
all the issues, then I have less work to do and we also get a more
complete CVE database =).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQBNKIAAoJEBYNRVNeJnmT1UoQAILX+PKDDotRajhIBInZVdxB
4T3fvtzo4WJO64FnxXv6K3EXA0rl8GkG4cxmA5BZh62qP8YsowgtEaFJstOiOj+V
RO0W8rTxrTLRURs1FFapfCZpO75zDjYkPtHlRoFxzirw9Fq3E47pyxkvd6v948Qo
cH8qAn+7jKUpi2QTV/EzO9Yh67egMsxAtwT3vvnS3idguS4r5H8z/nDHMm0g/3O0
lkmcwYVcJtd1uOPqtX/I3Q3uyzSPVuupYnLMONYUV6AUZaiSrg40prLPBv1/qjYy
yGvRvXIOtj8N6yCbmCP+WgiS8roPSStd/klgZCC2bhUK4hiwN3eduHxRx0ZrH/w4
2TWGShCJi4CFF2s3f0QfUyUM9tMlkiToW3SC/A7+nSPIBPtVMHmcEMhtyfCnjFdQ
2MWWNDPy+XTCkq4opL9dXaDdHgm5aJHNwUqnx0xPq/CNSWefDdra5ZdzyLK0RgFj
rbM30WC3USadkv7eVR6V2waxEMnuvg327soPM8pU+GU8l/f35Tzh3ZAk24tbJH3K
wPRBnNdcvlg/EIVcl6h6JDP/5bQ59nBfw1nIZfPjm8VrxLTj/Q328Ml2cer6hcHV
Rtv0N9XFpn7WrlmATbCpJ6vXj6NT07vNhD+dfLUPqb9jRpPH48NDHNB16FAagRI2
ooNL0+chZSYW+UnozYqJ
=TuOH
-----END PGP SIGNATURE-----

Current thread:

CVE id request: libjs-swfupload Nico Golde (Jul 16)
- Re: CVE id request: libjs-swfupload Kurt Seifried (Jul 16)
  - Re: CVE id request: libjs-swfupload Nico Golde (Jul 16)
    - Re: CVE id request: libjs-swfupload Kurt Seifried (Jul 16)
    - Re: CVE id request: libjs-swfupload Nico Golde (Jul 17)
    - Re: CVE id request: libjs-swfupload Kurt Seifried (Jul 17)
    - Re: CVE id request: libjs-swfupload Nico Golde (Jul 17)
    - Re: CVE id request: libjs-swfupload Kurt Seifried (Jul 17)