Salvatore Bonaccorso dijo [Wed, May 21, 2014 at 07:18:46AM +0200]: > the following vulnerabilities were published for collabtive. > > CVE-2014-3246[0]: > | SQL injection vulnerability in Collabtive 1.2 allows remote > | authenticated users to execute arbitrary SQL commands via the folder > | parameter in a fileview_list action to manageajax.php. > > CVE-2014-3247[1]: > | Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows > | remote authenticated users to inject arbitrary web script or HTML via > | the desc parameter in an Add project (addpro) action to admin.php. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Hi Salvatore, Thanks a lot for the heads-up! I have uploaded a new release fixing CVE-2014-3246; I have not been able to look into CVE-2014-3247; any help will be most appreciated! -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org