Bug#929136: marked as done (hoteldruid: CVE-2019-8937)

Sat, 18 May 2019 07:06:35 -0700 

Your message dated Sat, 18 May 2019 16:03:14 +0200
with message-id <[email protected]>
and subject line Re: Bug#929136: hoteldruid: CVE-2019-8937
has caused the Debian Bug report #929136,
regarding hoteldruid: CVE-2019-8937
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
929136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929136
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: hoteldruid
Version: 2.3.2-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for hoteldruid.

CVE-2019-8937[0]:
| HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine,
| origine, and anno parameters in creaprezzi.php, tabella3.php,
| personalizza.php, and visualizza_tabelle.php.

Unless mistaken, then those are not yet fixed in the 2.3.2 upstream
which fixed CVE-2019-9084, CVE-2019-9085, CVE-2019-9086 and
CVE-2019-9087?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-8937
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8937
[1] https://www.exploit-db.com/exploits/46429/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: hoteldruid
Source-Version: 2.3.2-1

Hi Marco,

On Sat, May 18, 2019 at 03:21:46PM +0200, Marco M. F. De Santis wrote:
> Hello Salvatore,
> CVE-2019-8937 is already fixed in hoteldruid 2.3.2 as a consequence of the
> other CVEs. This CVE had not been reported to me when 2.3.2 was released.

Thanks for your quick followup!

In this case I will update the security-tracker information to
correctly reflect this and close this bug with 2.3.2-1.

Regards,
Salvatore

--- End Message ---

Reply via email to