oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS

From: Henri Salo <henri () nerv fi>
Date: Mon, 31 Dec 2012 12:42:13 +0200
Hello,

I tried to reproduce CVE-2012-5903 SMF index.php scheduled-parameter XSS without luck. Does someone have a working 
payload for this? References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5903
http://packetstormsecurity.org/files/111356/SMF-2.0.2-Cross-Site-Scripting.html
http://xforce.iss.net/xforce/xfdb/74521
http://www.securityfocus.com/bid/52822
http://osvdb.org/80766
http://en.securitylab.ru/nvd/432586.php

Until someone provides a working PoC I dispute this issue. SMF hasn't replied to my emails about this. Please note 
there is several comments[1][2] in forums about this too.

1: http://www.simplemachines.org/community/index.php?topic=491516.msg3445272#msg3445272
2: http://www.simplemachines.org/community/index.php?topic=491516.msg3449057#msg3449057

It's not a security vulnerability if attacker already has administrator access to the application. Should we REJECT 
CVE-2012-5903?

- Henri Salo
Previous By Date Next
Previous By Thread Next

Current thread: