Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAD1NwhgLEg0kx9cXNf6bx3cw8Phbkk--H_EeEBLFOYWTRkseHA@mail.gmail.com>
Date: Sat, 20 Apr 2013 19:36:06 +0200
From: Lukas Reschke <lukas@...cloud.org>
To: Mark Panaghiston <markp@...pyworm.com>
Cc: Kurt Seifried <kseifried@...hat.com>, 
	Open Source Security <oss-security@...ts.openwall.com>, hello@...pyworm.com, 
	"security@...cloud.com" <security@...cloud.com>
Subject: Re: CVE-2013-1942 jPlayer 2.2.19 XSS

On Sat, Apr 20, 2013 at 7:19 PM, Mark Panaghiston <markp@...pyworm.com> wrote:
>
> [2.2.23] Security Fix: The Flash SWF had a minor security vulnerability that
> enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin.
> https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373

As far I can see from this commit this only affected "alert()" and
allowed the display of an alert box. Could you clarify that please?

If so this could be only abused for techniques like social engineering
and should IMHO not handled as a security issue.

@Kurt: What's your opinion on that?

--
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.