Re: CVE id request: typo3

["Steven M. Christey" <coley () linus mitre org>]

On Fri, 23 Oct 2009, Josh Bressers wrote:

> This is a big one. Let me know if I've screwed any of these up.

In traditional CVE, it would have been appropriate to combine the
following three issues, because they are the same flaw type (XSS) and
affected versions, even though they are clearly distinct bugs:

> CVE-2009-3629 TYPO3 Cross-site scripting
>
>     TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
>     4.3.0beta1 and below contain a cross-site scripting flaw where the TYPO3
>     backend failed to properly sanitize user input.
>
>     http://marc.info/?l=oss-security&m=125626536616052&w=2
>     https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
>
> CVE-2009-3633 TYPO3 API function t3lib_div::quoteJSvalue XSS
>
>     TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
>     4.3.0beta1 and below contain an unauthenticated cross-site scripting flaw
>     in its API function t3lib_div::quoteJSvalue.
>
>     http://marc.info/?l=oss-security&m=125626536616052&w=2
>     https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/
>
> CVE-2009-3636 TYPO3 Install Tool XSS
>
>     TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below,
>     4.3.0beta1 and below contain a cross-site scripting flaw in the Install
>     Tool. The Install Tool does not properly sanitize URL parameters leading
>     to this attack.
>
>     Note: The Install Tool is not meant to be activated in production
>     environments.
>
>     http://marc.info/?l=oss-security&m=125626536616052&w=2
>     https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/

Within the CVE team, we've started applying an additional consistency rule
where we will even split issues with the same vuln-type and version *if*
the finder/discloser/researcher/creditee is different.  In this case, none
of these three CVEs have exactly the same finder, so it's OK to let them
remain split. (I'm somewhat nervous about the implications of this rule
process-wise - and CVE assignment is already "weird enough" - but I'm
continuing with this anyway.)

Note that the TYPO3 advisory doesn't explicitly state which bug is present
in the 4.0.x series.

> CVE-2009-3634 TYPO3 Frontend Login Box (felogin) XSS
>
>     TYPO3 versions 4.2.0 to 4.2.6 contian contain a cross-site scripting flaw
>     where the URL parameters of Frontend Login Box were not properly
>     sanitized.
>
>     http://marc.info/?l=oss-security&m=125626536616052&w=2
>     https://typo3.org/teams/security/security-bulletins/typo3-sa-2009-016/

This would still remain distinct from the other XSS because the affected
versions are different.

- Steve