oss-sec mailing list archives

Re: CVE request: punbb < 1.2.19

From: "Steven M. Christey" <coley () linus mitre org>
Date: Sun, 27 Jul 2008 18:39:48 -0400 (EDT)


On Mon, 21 Jul 2008, Hanno [utf-8] B??ck wrote:

    *  Fixed an SMTP command injection vulnerability, discovered by Stefan
Esser.


CVE-2008-3335

    * Fixed an XSS issue in include/parser.php, discovered by Dan Crowley.
    * Fixed several potential XSS vectors in moderate.php.


Combined, these are CVE-2008-3336

    * Fixed issue with database returning the same user on multiple pages of
the userlist, noticed by hcgtv.


This sounds like a usability issue, not a security issue.

- Steve

======================================================
Name: CVE-2008-3335
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3335
Reference: CONFIRM:http://punbb.informer.com/

Unspecified vulnerability in PunBB before 1.2.19 allows remote
attackers to inject arbitrary SMTP commands via unknown vectors.


======================================================
Name: CVE-2008-3336
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3336
Reference: CONFIRM:http://punbb.informer.com/

Multiple cross-site scripting (XSS) vulnerabilities in PunBB before
1.2.19 allow remote attackers to inject arbitrary web script or HTML
via (1) include/parser.php and (2) moderate.php.

Current thread:

CVE request: punbb < 1.2.19 Hanno Böck (Jul 20)
- Re: CVE request: punbb < 1.2.19 Steven M. Christey (Jul 27)