oss-sec mailing list archives
Re: CVE request: Fat Free CRM multiple vulnerabilities
From: Steve Kenworthy <steveyken () gmail com>
Date: Tue, 31 Dec 2013 09:10:11 +0800
Thanks for assigning. I can confirm for issue 3 that the disclosure also involves to_xml. Please assign the additional CVE ID. Re: denial of service, I don't believe this is an issue as the exploit only relates to read operations. On Sat, Dec 28, 2013 at 8:23 PM, <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1http://www.phenoelit.org/stuff/ffcrm.txt http://seclists.org/fulldisclosure/2013/Dec/199 https://github.com/fatfreecrm/fat_free_crm/issues/300https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%291. Known Session Secrethttps://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df Use CVE-2013-7222.2. Lack of CSRF Protectionhttps://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6 Use CVE-2013-7223.3. Default to_json for modelshttps://github.com/fatfreecrm/fat_free_crm/commit/cf26a04b356ad2161c4c6160260eb870a3de5328 Use CVE-2013-7224.4. Multiple SQL Injectionshttps://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd Use CVE-2013-7225. For item 3: if there is an information-disclosure vulnerability involving to_xml, please let us know and we can assign an additional CVE ID. The joernchen advisory mentioned only to_json, and therefore to_xml has a different discoverer and may require a separate CVE ID. If there is a denial of service issue involving :delete, please let us know and we can assign an additional CVE ID. The joernchen advisory mentioned only "renders JSON requests with a full JSON object," and therefore :delete has a different discoverer and may require a separate CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSvsH6AAoJEKllVAevmvmsjksIAMeaH2HBfTrSNt83LAy1Sk0c Q+lexLe6vIsOQLeh02/vk4zk/piqcuQGcmTmpEQ+X5lT+7zwrBoZAe3/g36Nb+mM uJh9gBzsJkq0JUnqRVn84e9gxnJpqXjUB0aRRhaFrMBKB5jdTDFpWzKWS77KVzhI QlgEMBObp4WUQHjAfsZcN+cs+xWjMVvR7+rk1AWJ9hAjT02UBGigVNWe5PmDrb8z /yqcrQiEFTENbdQKSjNxlSSoEFWxEUF1b4PInNl7451ep0Ee2ZKoi9bte8h8pgsP rOzEsPzu0yevLI7Wgrvl+clSdesuvIi6/2kGklv5LTsM23Rw/spat4nkAuFPKlU= =PZmt -----END PGP SIGNATURE-----
Current thread:
- CVE request: Fat Free CRM multiple vulnerabilities Henri Salo (Dec 27)
- Re: CVE request: Fat Free CRM multiple vulnerabilities cve-assign (Dec 28)
- Re: CVE request: Fat Free CRM multiple vulnerabilities Steve Kenworthy (Dec 30)
- Re: CVE request: Fat Free CRM multiple vulnerabilities cve-assign (Dec 31)
- Re: CVE request: Fat Free CRM multiple vulnerabilities Steve Kenworthy (Dec 30)
- Re: CVE request: Fat Free CRM multiple vulnerabilities cve-assign (Dec 28)