oss-sec mailing list archives

Re: CVE request: webcalendar before 1.2.7

From: security curmudgeon <jericho () attrition org>
Date: Mon, 22 Jul 2013 17:28:35 -0500 (CDT)

Kurt's reply is a good reminder of why he needs that information. Based onthe original post, some of these have assignments.


: Security fix: Do not show the reason for a failed login (i.e. "no such user")

Likely CVE-2013-1422 / OSVDB 90668

: Security fix: Escape HTML characters in category name.

Likely CVE-2013-1421 / OSVDB 90669

: Security fix: Check all passed in fields (either via HTML form or via
: URL parameter) for certain malicious tags (script, embed, etc.) and
: generate fatal error if found.

This one seems like it may be new.

Current thread:

CVE request: webcalendar before 1.2.7 Hanno Böck (Jul 22)
- Re: CVE request: webcalendar before 1.2.7 Kurt Seifried (Jul 22)
- <Possible follow-ups>
- Re: CVE request: webcalendar before 1.2.7 security curmudgeon (Jul 22)
  - Re: Re: CVE request: webcalendar before 1.2.7 Kurt Seifried (Jul 25)