oss-sec mailing list archives
Re: CVE request: vanilla forums before 2.0.10, xss
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 6 Dec 2010 17:13:02 -0500 (EST)
On Mon, 6 Dec 2010, Josh Bressers wrote:
Use CVE-2010-4264 for the XSS. The commit is here: https://github.com/vanillaforums/Garden/commit/4535a059e4e24ca11a2ef0b4d754f262398bcece As for the "linkbait" issue, I have no clue. Nothing in git seems to point at that. Steve, does MITRE have a precedent for such a thing?
The vendor is calling it a "vulnerability" which is good enough to assign a CVE to, as a different vuln type than XSS.
My guess is that it's open redirect, which is used to redirect users away from the site towards spam or malware. Just a guess, though.
- Steve
Thanks. -- JB ----- "Hanno Böck" <hanno () hboeck de> wrote:Hi, http://vanillaforums.org/discussion/13119/vanilla-2.0.10-released/p1 Two sound like security: # # Added SafeStyles configuration to prevent XSS linkjacking # Patched potential linkbait vulnerability in dispatcher (although I don't know what a linkbait vulnerability is, maybe someone wants to enlighten me) -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno () hboeck de http://schokokeks.org - professional webhosting
Current thread:
- CVE request: vanilla forums before 2.0.10, xss Hanno Böck (Dec 05)
- Re: CVE request: vanilla forums before 2.0.10, xss Josh Bressers (Dec 06)
- Re: CVE request: vanilla forums before 2.0.10, xss Steven M. Christey (Dec 06)
- Re: CVE request: vanilla forums before 2.0.10, xss Josh Bressers (Dec 07)
- Re: CVE request: vanilla forums before 2.0.10, xss Steven M. Christey (Dec 06)
- Re: CVE request: vanilla forums before 2.0.10, xss Josh Bressers (Dec 06)