oss-sec mailing list archives
Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities
From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Oct 2013 19:23:28 -0500 (CDT)
From: Kurt Seifried <kseifried () redhat com> Date: Tue, 01 Oct 2013 10:07:22 -0600 Please use CVE-2013-4395 for the XSS vuln. --Which XSS vuln? =) That thread was messy, but Henri and others appear to have identified and/or confirmed four different ones:
/Sources/ManageServer.php Multiple XSS http://seclists.org/oss-sec/2013/q3/607 http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_2.0.5.tar.gz;smf_version=2.0.4 http://www.simplemachines.org/community/index.php?topic=509417 http://seclists.org/oss-sec/2013/q3/642 index.php admin Action board_name Parameter Stored XSS http://seclists.org/oss-sec/2013/q3/642 http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html index.php pm Action sa Parameter Stored XSS http://hauntit.blogspot.co.uk/2013/04/en-smf-204-full-disclosure.html http://seclists.org/oss-sec/2013/q3/642 index.php admin Action desc Parameter Stored XSS http://seclists.org/oss-sec/2013/q3/642That is what I took away from the entire thread at least. Can someone confirm this is correct, and can you confirm the CVE assignment please Kurt?
Brian
Current thread:
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 30)
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 01)
- <Possible follow-ups>
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities security curmudgeon (Oct 01)
- Re: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 02)