oss-sec mailing list archives
Re: CVE request: Serendipity before 1.6.2 SQL Injection
From: Henri Salo <henri () nerv fi>
Date: Tue, 22 May 2012 12:43:59 +0300
On Tue, May 22, 2012 at 11:05:02AM +0200, Hanno Böck wrote:
Upstream: http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html Advisory: https://www.htbridge.com/advisory/HTB23092 Upstream description of the issue: "The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code, we regard the impact as low. Nevertheless, please upgrade your installation." Please assign CVE. -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/
Is this same as: http://seclists.org/oss-sec/2012/q2/352 It looks to me as a same issue. - Henri Salo
Current thread:
- CVE request: Serendipity before 1.6.2 SQL Injection Hanno Böck (May 22)
- Re: CVE request: Serendipity before 1.6.2 SQL Injection Henri Salo (May 22)
- Re: CVE request: Serendipity before 1.6.2 SQL Injection Hanno Böck (May 22)
- Re: CVE request: Serendipity before 1.6.2 SQL Injection Henri Salo (May 22)