oss-sec mailing list archives
Re: CVE requests / advisory: TeamPass <= 2.1.19
From: cve-assign () mitre org
Date: Mon, 19 May 2014 03:04:55 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
All the issues are found in TeamPass versions <= 2.1.19, and all were reported by myself.
Here are the CVE IDs for your discoveries. The commits mentioned in your original message have many other changes that are unrelated to your discoveries. Those other changes are not within the scope of any of these CVE IDs. If any of those changes should be interpreted as vulnerability fixes, one or more additional CVE IDs may be assigned.
Issue #1: File execution protection bypass via language path injection
Use CVE-2014-3771.
Issue #2: File execution protection bypass via incorrect use of session variables
Use CVE-2014-3772.
Issue #3: Multiple SQL injection vectors in sources/main.queries.php Issue #4: Multiple SQL injection vectors in sources/datatable/*; and datatable.logs.php (in the root directory, *not* in sources/datatable directory)
Use CVE-2014-3773 for issues 3 and 4.
Issue #5: Multiple XSS vectors in items.php
Use CVE-2014-3774. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTeazMAAoJEKllVAevmvms4h0H/RbumrESu6O9eS2pUJIvgkow 1oPUsqVY7WmXa/Uam5Irq27bM3f3Nt1WVgc3Fn5U7v5hXVjI7PPD9guIIN8tFado eTpjbyuVgHXeKfukESvIgbFQHrGvvlcYDGtS3MRBIPpXSEutqtlsFIHZHRzmqhWO roHNH2/u4dmLfPs14VV5/2iLBExBRQ1m3ZptWXGR3CL0RCAimYlYbdTTj6U6c0Ks CGumIGZDUFDSfMkjV+R3AHSP0QdMquq0sMWTVAKOUk5N9l8rAF3SDuHFJtBGJ0jR jz/5JzEsUPb8cAAi36tR6pwE+QtW2+hvrA4I+7W2YKG03HySlwQmWI9qLJ24D78= =jjpO -----END PGP SIGNATURE-----
Current thread:
- CVE requests / advisory: TeamPass <= 2.1.19 Matthew Daley (May 17)
- Re: CVE requests / advisory: TeamPass <= 2.1.19 cve-assign (May 19)