Re: CVE request: LetoDMS, more issues

[Raphael Geissert <geissert () debian org>]

On Friday 05 October 2012 23:11:36 Raphael Geissert wrote:
> Hi,
>
> Some more issues were fixed in LetoDMS...
>
> * Fixed in 3.3.8
> Multiple XSS:
> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/inc/
> inc.ClassUI.php?r1=930&r2=929&pathrev=930
> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/out
> /out.DocumentNotify.php?r1=934&r2=933&pathrev=934 (and a few others
> scattered in multiple other commits)
> Missing CSRF protection (all part of the same thing):
> http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=927
> http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=915
> http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=914
> http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=907
> (and possibly some others...)
>
> * Fixed in 3.3.9
> Multiple XSS in out/out.UsrMgr.php:
> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/out/
> out.UsrMgr.php?r1=979&r2=978&pathrev=979 Regression in the above patch
> (fixed after the release of 3.3.9):
> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/out
> /out.UsrMgr.php?r1=982&r2=981&pathrev=982
>
> LetoDMS Core:
> * Fixed in 3.3.8:
> SQL injection:
> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/Leto
> DMS_Core/Core/inc.ClassDMS.php?r1=929&r2=928&pathrev=929

Could CVE ids be assigned please?

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net