oss-sec mailing list archives

Re: CVE request (2009): vanilla forums before 1.1.8

From: Josh Bressers <bressers () redhat com>
Date: Mon, 11 Oct 2010 15:29:39 -0400 (EDT)


----- "Hanno Böck" <hanno () hboeck de> wrote:

http://gsasec.blogspot.com/2009/05/vanilla-v117-cross-site-scripting.html

Input passed to the 'RequestName' header parameter when posting to
'/ajax/updatecheck.php' is not sanitized before it is returned to the
user.  This can be exploited to execute arbitrary HTML and script code in
a user's browser session in context of an affected site.

Please note this should be a CVE-2009 id


Steve,

Can MITRE take this one.

Thanks.

-- 
    JB

Current thread:

CVE request (2009): vanilla forums before 1.1.8 Hanno Böck (Oct 08)
- Re: CVE request (2009): vanilla forums before 1.1.8 Josh Bressers (Oct 11)