Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201208280107.20720.geissert@debian.org>
Date: Tue, 28 Aug 2012 01:07:20 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: letodms multiple issues

On Tuesday 28 August 2012 00:49:51 Kurt Seifried wrote:
> Welp if someone summarizes it I'll assign CVE's happily =).

As per EDB-ID: 20759, there are at least the following issues:

> 1. Reflected XSS in Login Page.
But in fact it's not just the login page. However, since it's the same kind 
of vulnerability, I'd just assign one for all the out/ reflected XSS'.

> 2. Stored XSS in Document Owner/User name (when viewing user document).
> 3. Stored XS in Calendar.
Perhaps those two could be covered by only one id.

> 4. Change Password CSRF.

And this one definitely needs its own id.


If one is to review the code base, there are probably many more. The changes 
made to the SQL queries are just a hint.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.