oss-sec mailing list archives

Re: CVE request: letodms multiple issues

From: Raphael Geissert <geissert () debian org>
Date: Tue, 28 Aug 2012 01:07:20 -0500

On Tuesday 28 August 2012 00:49:51 Kurt Seifried wrote:

Welp if someone summarizes it I'll assign CVE's happily =).


As per EDB-ID: 20759, there are at least the following issues:

1. Reflected XSS in Login Page.

But in fact it's not just the login page. However, since it's the same kind 
of vulnerability, I'd just assign one for all the out/ reflected XSS'.

2. Stored XSS in Document Owner/User name (when viewing user document).
3. Stored XS in Calendar.

Perhaps those two could be covered by only one id.

4. Change Password CSRF.


And this one definitely needs its own id.


If one is to review the code base, there are probably many more. The changes 
made to the SQL queries are just a hint.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

CVE request: letodms multiple issues Raphael Geissert (Aug 27)
- Re: CVE request: letodms multiple issues Kurt Seifried (Aug 27)
  - Re: CVE request: letodms multiple issues Raphael Geissert (Aug 27)
    - Re: CVE request: letodms multiple issues Kurt Seifried (Aug 27)
    - Re: CVE request: letodms multiple issues Raphael Geissert (Aug 27)
    - Re: CVE request: letodms multiple issues Kurt Seifried (Aug 31)