oss-sec mailing list archives
Re: CVE request: punbb < 1.2.19
From: "Steven M. Christey" <coley () linus mitre org>
Date: Sun, 27 Jul 2008 18:39:48 -0400 (EDT)
On Mon, 21 Jul 2008, Hanno [utf-8] B??ck wrote:
* Fixed an SMTP command injection vulnerability, discovered by Stefan Esser.
CVE-2008-3335
* Fixed an XSS issue in include/parser.php, discovered by Dan Crowley. * Fixed several potential XSS vectors in moderate.php.
Combined, these are CVE-2008-3336
* Fixed issue with database returning the same user on multiple pages of the userlist, noticed by hcgtv.
This sounds like a usability issue, not a security issue. - Steve ====================================================== Name: CVE-2008-3335 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3335 Reference: CONFIRM:http://punbb.informer.com/ Unspecified vulnerability in PunBB before 1.2.19 allows remote attackers to inject arbitrary SMTP commands via unknown vectors. ====================================================== Name: CVE-2008-3336 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3336 Reference: CONFIRM:http://punbb.informer.com/ Multiple cross-site scripting (XSS) vulnerabilities in PunBB before 1.2.19 allow remote attackers to inject arbitrary web script or HTML via (1) include/parser.php and (2) moderate.php.
Current thread:
- CVE request: punbb < 1.2.19 Hanno Böck (Jul 20)
- Re: CVE request: punbb < 1.2.19 Steven M. Christey (Jul 27)