oss-sec mailing list archives
Re: WordPress plugins vulnerable to CVE-2013-1808
From: Henri Salo <henri () nerv fi>
Date: Thu, 16 May 2013 18:31:59 +0300
On Thu, Mar 28, 2013 at 03:44:09PM +0000, Christey, Steven M. wrote:
Henri, It appears that CVE-2013-1463 was previously assigned to an issue that was claimed to exist in WP-Table Reloaded and fixed by that module developer, but the attack vector involves the id parameter to js/tabletools/zeroclipboard.swf, so this is likely a duplicate. Can you confirm? If this is a duplicate, we have an unusual situation for how to resolve it. The older CVE, CVE-2013-1463, is much more widely used than the newer CVE-2013-1808, which would argue for keeping the older CVE-2013-1463. However, because that older CVE focuses on the wrong product, and CVE-2013-1808 is referenced in Red Hat's Bugzilla and thus "more authoritative," this would argue for keeping CVE-2013-1808. - Steve
I'm not sure if wp-table-reloaded used custom version of the zeroclipboard or not, but by looking at the checksums so did other plugins too. Let's REJECT CVE-2013-1463 and use CVE-2013-1808. http://osvdb.org/90374 --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: WordPress plugins vulnerable to CVE-2013-1808 Henri Salo (May 16)