oss-sec mailing list archives

Re: CVE request: piwigo before 2.6.3 sql injection

From: cve-assign () mitre org
Date: Tue, 24 Jun 2014 10:29:33 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So the sql injection only affects the beta and we have another
"unclear" vulnerability and need two CVEs?


We will wait a short time for any other comments from anyone before
assigning the two CVEs. One other observation is that 3089 says
"Product Version 2.6.2" and "An admin can perform an SQL injection."
Also, http://piwigo.org/forum/viewtopic.php?id=24009 is from
2014-06-11 whereas http://piwigo.org/bugs/view.php?id=3089 is from
2014-06-12.

So, possibly, the requirement for admin access was part of the
motivation for not pushing out a new release immediately. And, the
lack of the fix in 2.6.3 might be a result of the bug perhaps not
being discovered until the day after the 2.6.3 release.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTqYraAAoJEKllVAevmvmsIosIAKDw3uYMNhOwcPeZ/BHnRuTq
5BTdbwu9W21c717iXIDVKWmiBZ96r7wrt3SeAUA5UidFqCYx7Qlg9+Ff58Tmw7O/
tJ7o5dhJS09nRj1TSG5+W6KdeiitTHVDtCXYDc20xgnAQqnNotuS2O4kqhWjH20j
xEIHCH6N1ePel+5vnaSO7vqOwJIoXUsb8VXVeLpnZUUgv2hCbLIFB2PZhmIWylll
2eFABF4i1Uwze/gzeY7Xk7kFRn9hzCASKRZ1p8Bn5fko8FJ1CA+Rx935DoBkPt+n
cY7vfdj2zOCJLGPKXvLAUh1GofSI++wiu6pEs4twHz2/B5MxlmE/OFooNURHzwI=
=LH2i
-----END PGP SIGNATURE-----

Current thread:

CVE request: piwigo before 2.6.3 sql injection Hanno Böck (Jun 23)
- Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 23)
  - Re: CVE request: piwigo before 2.6.3 sql injection Hanno Böck (Jun 24)
    - Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 24)
    - Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 25)