|
Message-ID: <20140905094034.GB17649@kludge.henri.nerv.fi> Date: Fri, 5 Sep 2014 12:40:34 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: TYPO3 Security Team <security@...o3.org> Subject: CVE request: TYPO3-EXT-SA-2013-014 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can I get 2013 CVE for TYPO3-EXT-SA-2013-014, thanks. Reasoning for CVE in information disclosure case is that this vulnerability exposes sensitive user data. http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2013-014/ http://osvdb.org/97812 It has been discovered that the extension "Direct Mail" (direct mail) is susceptible to Information Disclosure. Release Date: September 25, 2013 Affected Versions: Version 3.1.1 and below Vulnerability Type: Information Disclosure Severity: Medium Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:P/RL:O/RC:C Problem Description: Failing to check authentication codes properly, direct_mail exposes user data including the original authentication code. Solution: An updated version 3.1.2 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/direct_mail/3.1.2/t3x/. Users of the extension are advised to update the extension as soon as possible. Credits: Credits go to Bernhard Kraft who discovered and reported this issue. - --- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlQJhRIACgkQXf6hBi6kbk/T8QCaAxtYYv2J3HQChte+F5oPqLtB Z4kAn2YpjPfhOonCCcne9g3SYmEAmtb+ =rI3r -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.