Re: CVE request: Concrete5 XSS vulnerability

[Henri Salo <henri () nerv fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jan 05, 2015 at 09:56:24AM -0800, Korvin Szanto wrote:
> This has been fixed in 5.7.3 for some time
> https://github.com/concrete5/concrete5-5.7.0/commit/e3d47d2af88ddef36deaf754ef22f1f39b9b623b
>
> We have a security disclosure program for this so any disclosure
> outside of our program is very irresponsible and unprofessional. You
> end up with outdated information and leave us unable to fix the issue
> in a secure way since we cannot see it until it's brought to our
> attention through our disclosure program.

Original advisory in http://seclists.org/bugtraq/2014/Dec/53 says following:

"""
Disclosure time-line
02 November 2014: Discovery.
03 November 2014: Initial report sent.
11 November 2014: Second contact.
No response.
09 December 2014: Public disclosure.
"""

I do not know how author of that advisory tried to contact Concrete5. For
future cases: https://www.concrete5.org/developers/security/

I only requested CVE for coordination purposes. In this case CVE is used to
notify end-users to actually update their software so that they are not affected
by this vulnerability. If you want more details please contact me off-list.

Would it be possible for Concrete5 to request CVEs in the future as part of your
security disclosure program?

https://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlSq1EkACgkQXf6hBi6kbk9o4ACeLhGKVeF1+JIMjrUVJMzIgDf4
CTMAn3QMFpwXw7ZBzUFS6Luv9euuIX6z
=GYNG
-----END PGP SIGNATURE-----