Re: CVE id request: libjs-swfupload

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2012 01:07 PM, Nico Golde wrote:
> Hi, * Kurt Seifried <kseifried () redhat com> [2012-07-16 20:32]:
> > On 07/16/2012 12:17 PM, Nico Golde wrote:
> > > Hi, there is an XSS issue in libjs-swfupload. Can we get a CVE
> > > id for this?
> > >
> > > Details: 
> > > https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
> >
> > >
http://code.google.com/p/swfupload/issues/detail?id=376
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681323
> >
> > There also appears to be a CSRF vulnerability. Is there a reason
> > for only mentioning the XSS?
>
> The CSRF is for pupload which we don't ship and I haven't looked
> at.
>
> Cheers Nico

Please use  CVE-2012-3414 for the libjs-swfupload XSS issue

Please use  CVE-2012-3415 for the libjs-swfupload CSRF issue

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQBb/DAAoJEBYNRVNeJnmT674P+weoOJuLNtnOwwiLh2+2KPbZ
bCJvYWCiCJPfEF3UG73jcomSo8KfooiJIZP9CfBiGLIi4JoLl2ch2g8WdgbVAz9X
9rG/M+2M/1uWga3MsLoQiKwr9/Rou+BapCrTfWfN/yaUHRe5USoMwv3NL9cWZisz
ZoJjrcLcoLmHE17rpmqClo/ei24+YSbkrNohpL/UCtOv1egDgIRceVUOeX44M+AA
x+vyVDVpknSreHv+Q776ydtyrgjoJI0HfxAnAFydLiBb5Lo3KBIHSHZFCzdl1/rg
kLSjsgxvXLKG5bqDjLG/Fpu9M1AwB0yt7GUTGefCQ8B3agwX1D6mbxYLPvrGW60x
G0mv9O4Hag7OJeJ/pSAt4x9D8aR+Hhqx51Z4BwOK4hIwWqsBwvQhfTFz+pvwa+/w
kET7qMEINUa/H2hgTq/zVe/xDtyAwRHZfxvJo9tdyDyaN60LZRi8rxPkUqhDGxcA
ptw/ftG8k3jQMcm/CT46YtEyjt7xhlD4u6Uos0CcUh3BdNRM1yhqOlP5RfgDzWUi
eKaJeVibFVHhXgIlzagKD5o/1+FzXhVGWWN/YaUHEEccuESvzpFHLnyn1982PCsv
oC1yDGmPOs+HyEGuXrZvd8THUvaP+vj80n9jI9JymBDnvt74QFzpxZ8eAA98c6dm
ZdZxGYuACP+zsN5Tyyb0
=3Kl2
-----END PGP SIGNATURE-----