oss-security - Re: CVE request: XSS vulns in Dotclear v2.9.1

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-Id: <20160802235000.50B4F6CC7DC@smtpvmsrv1.mitre.org>
Date: Tue,  2 Aug 2016 19:50:00 -0400 (EDT)
From: cve-assign@...re.org
To: chenruiqi@....cn
Cc: cve-assign@...re.org, limingxing@....cn, oss-security@...ts.openwall.com
Subject: Re: CVE request: XSS vulns in Dotclear v2.9.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I found some XSS vulns in Dotclear v2.9.1
> 
> There are two reflected XSS vulns in Dotclear v2.9.1 media manager
> 
> /admin/media.php
> line 34 $link_type = !empty($_REQUEST['link_type']) ? $_REQUEST['link_type'] : null;
> line 62 $q = isset($_REQUEST['q']) ? $_REQUEST['q'] : null;
> 
> /dotclear/admin/media.php?q=[XSS]
> /dotclear/admin/media.php?link_type=[XSS]
> 
> Fix Code:
> https://hg.dotclear.org/dotclear/rev/40d0207e520d

Use CVE-2016-6523 for both of these issues.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXoS7KAAoJEHb/MwWLVhi2FuoP/2KQzJImOr3YJbBtmeneygL+
0I3PRHXCV9rEgnDG5zJKf7ErqWZuC+9NB+yrUc+rHFsaFeCKNobVx+GU/aBN+rUU
nOKLTdsEU1y2y9GT4PPrD5Sas68ubR858oGRB5vwQluMe/DKnQ0lJhIKJ69o3OdK
yoRYoGDvytmsgJLXheq2AZGEvIliyqliIhZhyoFLKtrqzGONE4OscJM9QP1WbJSQ
W7id+L+pBDWw3aKc5RpnKM6jI4olmREJ7pf34qJzmaGqZIQF7dijSlQ9RlRXfulk
rHsK7R6kn7QbzxYKv5gpQyLlGeGbFI9UKgOqDgz41rXsjRh1Yk3WnJqwqIQ5jek7
YnJPj45zbcpG6KxYa0UVpqUDHC7MwHZVR4RI1d0o295esApCyI6ExxhXygaEmksR
HoJCpVwQPMhnqG5VOZgQ2JegFOMiWBonan0a434QyXq1j5Gv0iKCiusg6B5Mxwi1
Kq8lmIduOUEhvUSNmsoq/MsrdtT0rZ91jN9b8IPKdgAMBS4ecWe9ShE7arLJbERo
V8v3CuT4s7vEKPnGXPiRGISza7pqEKJ1YTHxPAELH4TQ2o2121eQvcC3qyI9KkyF
WLlqJ9KTHnU9itqTy/vcrN9/vHWQgGqG2GHGJlXNwXCj0KEuLAdLP7hx9Eupfq9w
6cOz5yeoD/nf1pC1FkH/
=wolV
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.