Re: RE: [vs-plain] Request for CVE Identifiers

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for posting, this makes life easier for everyone (especially
the vulnerability aggregation services).

On 11/13/2013 10:14 AM, Jenny Han Donnelly wrote:
> Hi Kurt,
>
> Thanks for your help. We now have CVE IDs for YUI-related security
> vulnerabilities. We're updating the site with them now. For your
> reference, I've pasted them here:
>
>
> CVE-2013-6780 
> https://yuilibrary.com/support/20131111-vulnerability/ use.
>
>
>
> CVE-2012-5881 
> http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
> http://yuilibrary.com/support/20121030-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in the Flash component
> infrastructure in YUI 2.4.0 through 2.9.0 allows remote attackers
> to inject arbitrary web script or HTML via vectors related to
> charts.swf, a similar issue to CVE-2010-4207.
>
>
>
> CVE-2012-5882 
> http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
> http://yuilibrary.com/support/20121030-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in the Flash component
> infrastructure in YUI 2.5.0 through 2.9.0 allows remote attackers
> to inject arbitrary web script or HTML via vectors related to
> uploader.swf, a similar issue to CVE-2010-4208.
>
>
>
> CVE-2012-5883 
> http://www.yuiblog.com/blog/2012/10/30/security-announcement-swf-vulnerability-in-yui-2/
http://www.yuiblog.com/blog/2012/11/05/post-mortem-swf-vulnerability-in-yui-2/
> http://yuilibrary.com/support/20121030-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in the Flash component
> infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla
> 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and
> 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject
> arbitrary web script or HTML via vectors related to swfstore.swf, a
> similar issue to CVE-2010-4209.
>
>
>
> CVE-2013-4939 
> http://yuilibrary.com/support/20130515-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in io.swf in the IO
> Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in
> Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8,
> 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows
> remote attackers to inject arbitrary web script or HTML via a
> crafted string in a URL.
>
>
>
> CVE-2013-4940 
> http://yuilibrary.com/support/20130515-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in io.swf in the IO
> Utility component in Yahoo! YUI 3.10.2, as used in Moodle through
> 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before
> 2.4.5, 2.5.x before 2.5.1, and other products, allows remote
> attackers to inject arbitrary web script or HTML via a crafted
> string in a URL.  NOTE: this vulnerability exists because of a
> CVE-2013-4939 regression.
>
>
>
> CVE-2013-4941 
> http://yuilibrary.com/support/20130515-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in uploader.swf in the
> Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in
> Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8,
> 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows
> remote attackers to inject arbitrary web script or HTML via a
> crafted string in a URL.
>
>
>
> CVE-2013-4942 
> http://yuilibrary.com/support/20130515-vulnerability/
>
> Cross-site scripting (XSS) vulnerability in flashuploader.swf in
> the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used
> in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8,
> 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows
> remote attackers to inject arbitrary web script or HTML via a
> crafted string in a URL.
>
>
>
> -----Original Message----- From: Kurt Seifried
> [mailto:kseifried () redhat com] Sent: Thursday, August 01, 2013 8:12
> PM To: michaeld () moodle com; security () yuilibrary com; Open Source
> Security Subject: Re: [vs-plain] Request for CVE Identifiers
>
> On 07/05/2013 12:01 AM, Michael de Raadt wrote:
> > Hi, Kurt.
>
> > Thanks for getting back to me.
>
> > The YUI issue (reported as Moodle security issue MSA-13-0025)
> > seems to have affected YUI versions 3.0.0 through 3.10.0 and was
> > fixed in 3.10.1. There was a smaller related problem still in 
> > 3.10.2 that they also fixed. Here are some links to the YUI 
> > announcements...
>
> Hi YUI guys, can we get the CVE situation for YUI sorted out please
> and thank you? I'd be happy to assign CVEs or to help you get them
> from Mitre.
>
>
> > http://www.yuiblog.com/blog/2013/05/14/yui-3-10-1-released-to-fix-swf-
vulnerability/
> http://yuilibrary.com/support/20130515-vulnerability/
>
> > I couldn't find an existing CVE for this. Perhaps there is not
> > one yet.  Michael de Raadt /BSci(Hons), PhD/ *Development
> > Manager, Moodle HQ <http://moodle.com/hq/>* Availability:
> > Calendar <http://dl.dropbox.com/u/11561272/calendar.html> Web: 
> > moodle.com/michaeld <http://moodle.com/michaeld> Blog: 
> > salvetore.wordpress.com <http://salvetore.wordpress.com/> Email: 
> > michaeld () moodle com <mailto:michaeld () moodle com> LinkedIn: 
> > linkedin.com/in/michaelderaadt 
> > <http://linkedin.com/in/michaelderaadt> Twitter:     @salvetore 
> > <https://twitter.com/salvetore>
>
> > <http://moodle.org>

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSg+dCAAoJEBYNRVNeJnmTRKkP/0gh/c14qP9O8ZXeWcBWbOwQ
wbWzoku3wWKnTrOpLUjZk+jdCzzvaJepCUyGXBTjmo0454q+hut52MCWntHHa3dy
cScsUQIU5y+NWgKu3gbk+wXXTSgLJFCgvGcQ29gueAjNjuJoknTtePyFaVJrsORI
J+t6ONkrXvYIjMzsThhyobFC4NouUGOnCg9vb7YqtCflP30U03ZgzNNhMQKLjZ7N
nlLCV+SqYRVEgGxAe8YRUQPmNNEO5c0M+mmMBD4rzn3XL/MeADtoEfdfDilgMQrw
plbeYvawqYL3xoxa1Sh8LewVUFFqW6NGCuF9whUnwKy2JsybBJaNf+9jDyOmUcfS
DTmz/wfijtuRrUe5tL8OTMjk3M/UhwM8iltuEmebbiDVpk/X9WE/nIgt7GPb/LFZ
onde4/4fBPC1ftNwPk5NkQwcRFniyrhYYRN7czGBizUhv6GEfXiJQoFi/kge5UoW
pzPWlAMX3hjNv8VExygYn3E8KAXaK3aWKbYjVBRlP6DR0k9P+cqYZK735MLm5MFR
Z6ZT2bVpRVaEaqLGgVKXKc8Sq93GwdNOM+qdA/zVO86nOtJ7xgtUeZmF1CFyTHxe
e+vzau+qiXAIYQueDSr6sjhlrEzgAhIETsaR8l+JY9k6MvUH8X9i8O5sSDM/XQtv
eVb7bTBUvjOVt0c9cC6W
=oSh1
-----END PGP SIGNATURE-----