Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20111122110920.GB28968@foo.fgeek.fi>
Date: Tue, 22 Nov 2011 13:09:20 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: advisories@...itunasecurity.com
Subject: CVE-request: Symphony CMS Multiple Cross-Site Scripting and SQL
 Injection Vulnerabilities (NS-11-008)

Can we assign CVE-identifiers for these three issues, thank you?

Found from: 2.2.3
Fixed in: 2.2.4

1. http://osvdb.org/show/osvdb/76882 / SA46663
extensions/profiledevkit/content/content.profile.php profile-parameter XSS

2. http://osvdb.org/show/osvdb/76883 / SA46663
symphony/lib/core/class.symphony.php filter-parameter XSS

3. http://osvdb.org/show/osvdb/76884 / SA46663
symphony/content/content.publish.ph filter-parameter SQL injection
(Different than CVE-2010-3458)

References:
http://seclists.org/bugtraq/2011/Nov/8
http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/
http://secunia.com/advisories/46663/
Advisory Reference: NS-11-008

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.