oss-sec mailing list archives
Re: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 02 Oct 2013 10:34:12 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2013 06:23 PM, security curmudgeon wrote:
From: Kurt Seifried <kseifried () redhat com> Date: Tue, 01 Oct 2013 10:07:22 -0600 Please use CVE-2013-4395 for the XSS vuln.
CVE MERGE I thought (one researcher, same version, same vuln type).
-- Which XSS vuln? =) That thread was messy, but Henri and others appear to have identified and/or confirmed four different ones: /Sources/ManageServer.php Multiple XSS http://seclists.org/oss-sec/2013/q3/607 http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_2.0.5.tar.gz;smf_version=2.0.4 http://www.simplemachines.org/community/index.php?topic=509417 http://seclists.org/oss-sec/2013/q3/642 index.php admin Action board_name Parameter Stored XSS http://seclists.org/oss-sec/2013/q3/642 http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html index.php pm Action sa Parameter Stored XSS http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html
http://seclists.org/oss-sec/2013/q3/642
index.php admin Action desc Parameter Stored XSS http://seclists.org/oss-sec/2013/q3/642 That is what I took away from the entire thread at least. Can someone confirm this is correct, and can you confirm the CVE assignment please Kurt? Brian
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSTEsEAAoJEBYNRVNeJnmTbagP/2w6rjD42xZn+qvq6fD63/AB UeYTJ3vdGWz2ZHEs5gvuFKRs8O6DU86MLAuLDilme0i34dxDLIXQZxc/I5oPqlIF bH+I+bfE+C/rmaebPE1uiaG31CjubqEvUdk5CsXHeorVPkA9qePT4QUEfTzlKZk6 tZjnm33GOrY7BXBpvFP1QcSezDqkoofR4DqJByD5vPHFIG6Konr608//0jm3nl2B l37HqBaAt/9zt0xh2ChQu3vUwBwCG+srhtkEUNt7gRN2P/mP4ohRZDj0PvNS8OTx xPhL5/BNR1b/dGkFxiGOCoCK4UT8DZOwpDBr91iuaSzX+VeX6n5MUh/9TSUORxai rnGMA9z06bN/hL2dyqkIsLIAK4vrdGU4pO1i7EI21ZURfR1gf3SRfiyAwzYzv5Yo 1NbP9EiUeTkTQnaPwx3vfvX7JOkHYNkoAwqimozeusG9xplEWqIJ4dUrchEYVc3i sRGoFvig/cu3U2z5ZC4xb4nii1tYdYUfTWgrQy5k9xI7XOdnJFIP8Q7a6etbPG8i EEAbr+YnmB5YZq3E458GSIf8mjxbZVqt0jhWyY4R9dM6mESeHS0wfoGP+Fcs+3d2 461SYArUFnFZ2DG0dGJS/54EfHvzPThdqOgKy+lA3O/pD6WPp1JIAHiSVuVS//rz nr/9Ip+GH7yykUjfI3yp =y3nP -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 30)
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 01)
- <Possible follow-ups>
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities security curmudgeon (Oct 01)
- Re: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 02)