Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

[Kurt Seifried <kseifried () redhat com>]

On 12/01/2011 03:16 AM, Henri Salo wrote:
> On Thu, Dec 01, 2011 at 11:59:00AM +0200, Henri Salo wrote:
> > Original post: http://seclists.org/bugtraq/2011/Nov/15
> > Advisory URL: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
> > New version announcement: http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
> >
> > I contacted Garvin Hicking and he said this is indeed fixed in 1.6 code, but they changed from SVN to Git so can't 
> > really refer to proper commit. Secunia is linking in http://secunia.com/advisories/46666/ to 
> > https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518ad4711, which has nothing to do with the 
> > actual issue. Shame on Secunia.
> >
> > This is one of logs, which can act like proof: 
> > https://github.com/s9y/Serendipity/commit/db590df6087969e5ef3b07b1b7040e7ec122a4fd
> >
> > Please notify me if this is not enough information.
> These vulnerabilities also doesn't have CVE-identifiers assigned nor requested if I have correct information:
>
> http://www.rul3z.de/advisories/SSCHADV2011-016.txt http://osvdb.org/show/osvdb/75777
> http://www.rul3z.de/advisories/SSCHADV2011-017.txt http://osvdb.org/show/osvdb/76856
>
> If my opinion counts these XSS issues could be put to one CVE-identifier. These have been verified by the author of 
> Serendipity.
>
> - Henri Salo
Merging these two as the fix is to update serendipity for both, the
plug-in appears to simply expose another avenue of attack, not create an
actual XSS as such.

Please use CVE-2011-4366 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team