oss-sec mailing list archives
Re: CVE Request: Django CMS
From: Matthew Wilkes <matt () matthewwilkes name>
Date: Sun, 28 Jun 2015 12:20:52 +0100
Use CVE-2015-5081 for the CSRF issue.
Thank you!
The cms.changelist.js and cms.toolbar.js changes include a comment "send post request to prevent xss attacks." The "xss" word choice might be a mistake. We are not currently assigning a CVE ID for a separate XSS issue.
I believe you are correct.
CVE IDs were not assigned on a per-discoverer basis here because there was no available information suggesting that different persons independently discovered different CSRF problems.
I don't believe that they were different, having read the public information. I've asked for clarification from the vendor, though.
If anything, my logic for including the information about credit was to emphasise that it was one issue reported by two people and make us both searchable, in case there is confusion if one or both of us write up the issue in future.
Thanks, Matt
Current thread:
- CVE Request: Django CMS Matthew Wilkes (Jun 27)
- Re: CVE Request: Django CMS cve-assign (Jun 28)
- Re: CVE Request: Django CMS Matthew Wilkes (Jun 28)
- Re: CVE Request: Django CMS cve-assign (Jun 28)