oss-sec mailing list archives
Re: CVE id request: php-xajax
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 17 Dec 2008 11:07:45 -0500 (EST)
On Wed, 17 Dec 2008, Steffen Joeris wrote:
The patch for CVE-2007-2739 seems incomplete as it doesn't escape "&". I recommend removing the replace call and using htmlspecialchars() instead.
This counts for a new CVE, so use CVE-2008-5623 Will there be more details available, or should I just write the description up based on the oss-security post? Which versions are affected?
Also, I seem to be unable to find anything regarding CVE-2007-2740. Did anyone manage to find a patch or even what kind of issue we are talking about? I only see the XSS.
CVE-2007-2740 is based on the xajax PHP and Javascript library 0.2.5 Release Notes and Changelog, dated May 16, 2007, which states: "...Security vunerabilities have been patched." - Steve
Current thread:
- CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)