Re: CVE Request: October CMS - Stored XSS in image caption tag

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> save it. Logout of the user account and login as an
> administrator. Now, simply visit the user profile (of the normal user) and
> the JavaScript will be executed.

> https://github.com/octobercms/october/blob/master/CHANGELOG.md
> *Version affected         :    *Possibly all the builds  i.e ,  < = Build 271

We didn't understand this part. Build 271 is from 2015-06-20. The
vendor made a source-code change related to the bug report today.
There were three builds that occurred after 271, but before today.
We're not sure why "< = Build 271" would be mentioned.

> https://github.com/octobercms/october/issues/1302
>
> https://github.com/octobercms/october/commit/8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a

Use CVE-2015-5612 for the issue affecting the caption of a profile
picture. Use CVE-2015-5613 for the other issues fixed in
8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a. (We haven't yet looked at
whether "caption of a profile picture" is only associated with the
_image_single.htm change.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVr5xoAAoJEKllVAevmvmsA4YH/1r5R42L5CdWzOsQmbtxG+PI
Jci5Rthqr/DGbOJ+chRPTRtD3om2RAHclbYLMmKzrl3craigvyQLGz1ljfuISr5h
qC7fk5/wWm1ANDLxPDA+ZzjKYG0jybbb8d/7DpJnEb2tRePuojHOVoXEwRZaFx+g
hhjVmsH+4ZYkkCxeOeeq694kPqVKGw/W2bdgRJ7k/mEwAb9evUJ8cENlViBjyylb
ivYowIxX8nqOf+XklJAk9rezH8meqwhzNzmP9phiSPEugH4uoxaCo/ASx3Z0Isgl
sZyuPtvZVeSfkXQt3AaN2NFt+Lkiek38qDHekyZWSm0oD1RXX3QNcwa645KczVg=
=LNgC
-----END PGP SIGNATURE-----