|
Message-ID: <20120508120359.63afe711@hsalkjdhsa.lan>
Date: Tue, 8 May 2012 12:03:59 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: XSS and SQL injection in serendipity before 1.7.1
http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html
"This release mainly addresses two security issues found by Stefan
Schurtz (thanks a lot, again!). One is a XSS issue in the media
database panel, the other an SQL injection in the media database
section. Both issues can only be exploited if you are logged in to your
blog and you click a specially crafted link. The SQL injection cannot
be used to extract sensitive information from the database or delete
data."
The webpage of the vulnerability researcher is
http://www.rul3z.de/
However, there seems to be no information yet about those vulns,
probably they'll appear there soon.
--
Hanno Böck mail/jabber: hanno@...eck.de
GPG: BBB51E42 http://www.hboeck.de/
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.