Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20150628105507.210D96C00E7@smtpvmsrv1.mitre.org>
Date: Sun, 28 Jun 2015 06:55:07 -0400 (EDT)
From: cve-assign@...re.org
To: matthew@...thewwilkes.co.uk
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Django CMS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> a CSRF issue around publishing of draft changes
> 
> http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/
> https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a

Use CVE-2015-5081 for the CSRF issue.

The cms.changelist.js and cms.toolbar.js changes include a comment
"send post request to prevent xss attacks." The "xss" word choice
might be a mistake. We are not currently assigning a CVE ID for a
separate XSS issue.

> Sylvain Fankhauser of L//P and Matthew Wilkes of The Code Distillery,
> who discovered and privately demonstrated to the django CMS core
> developers an important CSRF vulnerability and contacted us through
> the documented channels.

CVE IDs were not assigned on a per-discoverer basis here because there
was no available information suggesting that different persons
independently discovered different CSRF problems.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVj9ICAAoJEKllVAevmvmsdu4H/1c3jL6XKKu20IXZe50bHo3q
LIqJQ5uIfYR3K1ZwO2UIP4GYQHfbnJw7sSMnijAeEqkKXOdZLNwyVXM8od20YR2x
axSLTHjl6Wygxn+z+inLf5pRNZiF4q+s4U+h0KXUIbJN6VDtSYkY5f0axh4P29sv
JwTmVzL6+WWEiJ24gRY8uB6awhoFCFJ+62BCqNSnBoa81rt6mwMIMO4z4deKJM5Y
p8K0jSeYJF8HHuhIGCBFUQ02jC8arlawuwnsyjnjFDOFSbLMrhuwVx7yF5Ut+Z8P
nNl38ABeqm03r6dRp1Fu81itEhH3Gw3EGXbDyr8Ivbk2TQ7L4bntdxnAPPOb8TU=
=3AtE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.