oss-sec mailing list archives
Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS
From: Henri Salo <henri () nerv fi>
Date: Mon, 31 Dec 2012 12:42:13 +0200
Hello, I tried to reproduce CVE-2012-5903 SMF index.php scheduled-parameter XSS without luck. Does someone have a working payload for this? References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5903 http://packetstormsecurity.org/files/111356/SMF-2.0.2-Cross-Site-Scripting.html http://xforce.iss.net/xforce/xfdb/74521 http://www.securityfocus.com/bid/52822 http://osvdb.org/80766 http://en.securitylab.ru/nvd/432586.php Until someone provides a working PoC I dispute this issue. SMF hasn't replied to my emails about this. Please note there is several comments[1][2] in forums about this too. 1: http://www.simplemachines.org/community/index.php?topic=491516.msg3445272#msg3445272 2: http://www.simplemachines.org/community/index.php?topic=491516.msg3449057#msg3449057 It's not a security vulnerability if attacker already has administrator access to the application. Should we REJECT CVE-2012-5903? - Henri Salo
Current thread:
- Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Henri Salo (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Moritz Naumann (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Hanno Böck (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Emanuele (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Moritz Naumann (Dec 31)