Re: CVE request: XSS and SQL injection in serendipity before 1.7.1

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/08/2012 04:03 AM, Hanno Böck wrote:
> http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html
>
> "This release mainly addresses two security issues found by Stefan 
> Schurtz (thanks a lot, again!). One is a XSS issue in the media 
> database panel, the other an SQL injection in the media database 
> section. Both issues can only be exploited if you are logged in to
> your blog and you click a specially crafted link. The SQL injection
> cannot be used to extract sensitive information from the database
> or delete data."
>
> The webpage of the vulnerability researcher is 
> http://www.rul3z.de/
>
> However, there seems to be no information yet about those vulns, 
> probably they'll appear there soon.

Please use:

CVE-2012-2331 Serendipity 1.6.0 XSS issue
CVE-2012-2332 Serendipity 1.6.0 SQL Injection issue



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqf+OAAoJEBYNRVNeJnmTVaYQANPqzjCYb6yLtGRYE6tA8fo2
YiCYUI3TkRUJfIc+h/JZ+UauL3+BCc3U8ZUZun8h3B3FTYTF272qHKeurP+wkHIz
d6MxWUaguDpnGetKjgTfPhrrbzXpqcEEhWE3mqlDI/+wT/M9wZWslfikdYz9ELVT
lHBprwN7ATM3rFTkXrIKU8UlUzOFkwFEi8aaQTK0djOOKAb5ZjSj52QyRKcoOS7B
tY8t8OVUFGd3mfemiTa8i08KdYZ0EkbLfNYFoiLs9R+sqehhpnneY3sHQHiBQX5h
EVBiJ4NT8J0pm/IYuDqpxUK4rQfNlQr6K4SzVuo32KpQG9UGcq8EMJjp5//phzFY
8wGuGP7WQGJtr+JNRJXSWyya/1P67jaqYZC/YzjAZURiighd2lFk4B+oo8DOAzEJ
h+oMd+4LYQFx8lL8dqUhev1SuuIlEOUbT0KXyU7pUWj0ICeylT41iOz9u2uIlFvt
CIxbsaYfV7EQfJjSR15oq91Z/upfJn+pQlO51W+S6lrFcl9uxFSgzPZ/G399hBW8
yhmsM7Bw0Q0hgiqfCIEJqrP0NaBaLX0ufxsy6Q6uyqCK4C7v9S6PeLvZuDQvcEHZ
25R0XwvPnlNTOl93jbVx9LGQ2EhE4OFPTioyiwdsFd9eF/ptiLDIXeikVZopnJo9
jynfmxzFVljNP3tMvXsm
=oANW
-----END PGP SIGNATURE-----