oss-sec mailing list archives
Re: CVE request: XSS in Google Web Toolkit (GWT)
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 04 Aug 2013 23:47:16 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/04/2013 10:56 PM, David Jorm wrote:
I note that with the release of Google Web Toolkit (GWT) 2.5.1, a security flaw has been resolved: http://www.gwtproject.org/release-notes.html#Release_Notes_2_5_1_RC1 ("Security Fixes") The release notes state: Fixed an XSS vulnerability in html files used by GWTTestCase (patch). These files will only be included in a GWT app if it depends on the JUnit module. Despite the fix, this is not recommended. The patch is here: https://code.google.com/p/google-web-toolkit/source/detail?r=11385 I have reproduced this flaw and can confirm it is reflected XSS. I have previously contacted security@google asking for CVE IDs for GWT flaws, but never received a response. Please assign a CVE ID to this flaw. Thanks
So according to http://cve.mitre.org/cve/cna.html Google is a CVE Numbering Authority but I can't find a CVE in google (irony?) for this so I guess they missed it. Please use CVE-2013-4204 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR/zxhAAoJEBYNRVNeJnmTgtEQAJ2gmoFcYw9EXIWtQBLkykBq 7GShyEcaxY43Ecm38TEIMElHxXsiX6QoI16O0AzkMi2N0TsKjxp0Lvf7zfU3fhqI +juPu2bqKP+yGRJKcb5RoEUr1QGkvS8e4BBTK/572shziiC7j+hvdYYOR3sFvmQw q8HiLIx/in+MUgB+V9XIOyKk5C8v60C8CQ8EH4oqD8q8YScq/HioaKgrs4GJqCUA tbnHPuah9WBOyS0RstyDPAsDRXVGl081mPlq0fllHq28sArbZo+gB1ZgDMhvVhbv AghVzKYt8px3FLi+MVlSTOGeIrTXtpsTWQ66DKxfYfsj1iNh+T3B/fD4H08c4hqX 46rEUBwGKvdNIcg6+DsHvni/6zXBry8qA9x3xwnfUK0xDhZZ8qXN5uXhPqLCM64N TADtIVy5R0f1pv9SNRUMuKBPs+Pw5kimgnYaM45i1E8ilSxHVX6JKsTukx89DK+0 YK674UeTPVQIelFFG8EnasINjgua2kEEaFWsqMPcLbeFsHZA9AD7GpEC6vilTrQz w8ApJ90Ti1oU0eZ1oMhpcjkgjQaS/ZIwYAkIZnLq9Xi5/jGu6aB0sum4fPd8Fytt QDWdJwfTaWq8pNa4M/wwLJGP89EQFunXfGwLd4iloJEHeDSRbmj7H0lRax4DSxeJ +07h7kydenYwxrVTBUL3 =roNw -----END PGP SIGNATURE-----
Current thread:
- CVE request: XSS in Google Web Toolkit (GWT) David Jorm (Aug 04)
- Re: CVE request: XSS in Google Web Toolkit (GWT) Kurt Seifried (Aug 04)