oss-sec mailing list archives
Re: CVE Request: October CMS - Stored XSS in image caption tag
From: cve-assign () mitre org
Date: Wed, 22 Jul 2015 09:39:08 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
save it. Logout of the user account and login as an administrator. Now, simply visit the user profile (of the normal user) and the JavaScript will be executed.
https://github.com/octobercms/october/blob/master/CHANGELOG.md *Version affected : *Possibly all the builds i.e , < = Build 271
We didn't understand this part. Build 271 is from 2015-06-20. The vendor made a source-code change related to the bug report today. There were three builds that occurred after 271, but before today. We're not sure why "< = Build 271" would be mentioned.
https://github.com/octobercms/october/issues/1302 https://github.com/octobercms/october/commit/8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a
Use CVE-2015-5612 for the issue affecting the caption of a profile picture. Use CVE-2015-5613 for the other issues fixed in 8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a. (We haven't yet looked at whether "caption of a profile picture" is only associated with the _image_single.htm change.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVr5xoAAoJEKllVAevmvmsA4YH/1r5R42L5CdWzOsQmbtxG+PI Jci5Rthqr/DGbOJ+chRPTRtD3om2RAHclbYLMmKzrl3craigvyQLGz1ljfuISr5h qC7fk5/wWm1ANDLxPDA+ZzjKYG0jybbb8d/7DpJnEb2tRePuojHOVoXEwRZaFx+g hhjVmsH+4ZYkkCxeOeeq694kPqVKGw/W2bdgRJ7k/mEwAb9evUJ8cENlViBjyylb ivYowIxX8nqOf+XklJAk9rezH8meqwhzNzmP9phiSPEugH4uoxaCo/ASx3Z0Isgl sZyuPtvZVeSfkXQt3AaN2NFt+Lkiek38qDHekyZWSm0oD1RXX3QNcwa645KczVg= =LNgC -----END PGP SIGNATURE-----
Current thread:
- CVE Request: October CMS - Stored XSS in image caption tag Abhishek J.M (Jul 21)
- Re: CVE Request: October CMS - Stored XSS in image caption tag cve-assign (Jul 22)