oss-sec mailing list archives
Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1
From: cve-assign () mitre org
Date: Thu, 16 Apr 2015 13:17:13 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
3) WP Symposium plugin SQL injection vulnerability Affected version: 15.1 (and likely all versions below) Fixed version: Not yet available, author is working on a fix Plugin URL: https://wordpress.org/plugins/wp-symposium/ (still disabled by WordPress.org team)
Is this different from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8810
it's definitely a different vulnerability, as CVE-2014-8810 regards a SQL injection vulnerability in ajax/mail_functions.php whereas the problem I discovered exists in a forum function.
Use CVE-2015-3325.
By the way - what would be the best way to publish the vulnerability details? A reply to this thread or posting it to Exploit-DB, Packet Storm or other mailing lists like Fulldisc or Bugtraq?
MITRE doesn't have any role in establishing the policies for use of
the oss-security list. The types of information you sent earlier --
references with vague changelog entries "Fixed for SQL injection
vulnerabilities" and "Fix SQL injection vulnerabilities" -- are
normally considered valid reports of open-source vulnerabilities,
e.g., a person who is neither the discoverer nor the vendor might
notice such a changelog entry and send it here. However, it is
somewhat unusual for a discoverer to choose a multi-stage approach in
which that level of a vague information is provided in one
oss-security post and full details are sent in a later post.
Our only suggestion for this case is that, given that the multi-stage
approach is already in progress, it would probably be best to
establish a link in at least one direction, e.g., either:
- your full advisory should include a link to
http://openwall.com/lists/oss-security/2015/04/14/5
so that this previous discussion can be found
or
- you should make a later oss-security post in this thread, with a
link to the public URL(s) for your full advisory, which might
be in any of the four locations that you proposed
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJVL+4XAAoJEKllVAevmvmsSRIIAL1P3iPwL+r5WzeumB+X11Ry
4KnNwj/qDbXYHQNHlBov9cG5vwPfk/Z7GR3lJW67Q1Ow9HBthZ9HWRVBytM8far9
aMls9vZ3evFkPYLDjmRsrcHSX7uFC2E7FPnHdhD+ee4dYQYebz5655EFQHvcc3hS
AwqTZBGva7qi/kRz+O2UqFsgOIUivhtx84BFW7NqaLSARwcXpBIXF4hc1mPiA1cQ
u2IKsn+Pnxi8cgCpQtvK4crMPhDznQiCzIIHoynqylgInHNiwL4AjgDYQrJQe6un
SAr2stOjdAsNQeF2OA0m4ajF46v5Kls2tfvbDwmlIrq8xieN3+e9OY8oNf4xl5s=
=5gid
-----END PGP SIGNATURE-----
Current thread:
- CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 Hannes Trunde (Apr 14)
- Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 cve-assign (Apr 16)
- AW: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 Hannes Trunde (Apr 16)
- Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 cve-assign (Apr 16)
- Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 Hannes Trunde (May 08)
- AW: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 Hannes Trunde (Apr 16)
- Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1 cve-assign (Apr 16)