Thanks to Justin for identifying and describing this issue.
With a little more detail inline.
On Wed, Aug 14, 2013 at 7:33 AM, Justin C. Klein Keane
wrote:
> Mitigating factors:
> - ---
> In order to inject arbitrary script malicious attackers must have the
> ability to manipula
On Wed, Jun 20, 2012 at 8:04 PM, Denis Andzakovic <
denis.andzako...@security-assessment.com> wrote:
> Exploitation of this vulnerability requires a malicious user with
> access to the admin panel to use the
> "/wp-admin/plugin-install.php?tab=upload" page to upload a malicious
> file.
That tool
I should note that Justin was a reporter of the issue to the Drupal
Security Team. When writing the advisory he was mistakenly excluded.
That's been corrected in the html version of this advisory
http://drupal.org/node/1506562
On Wed, Mar 28, 2012 at 4:40 PM, Justin C. Klein Keane
wrote:
> Explo
nding to this
> public mailing list.
>
>
>
> Best regards,
> MaXe
>
>
> On Thu, 15 Mar 2012 07:57:17 -0600, Greg Knaddison
> wrote:
>> Hello MaXe,
>>
>> Thanks for the feedback.
>>
>> Our security advisories are meant to be a littl
Hello MaXe,
Thanks for the feedback.
Our security advisories are meant to be a little opaque and do not
include a POC, so I can understand how these two issues could be
confusing: they both include XSS in something named (F)CKEditor.
However this issue is quite different from the one you identif
On Tue, Feb 7, 2012 at 4:18 PM, b wrote:
> What is the point of posting notifications of XSS vulnerabilities in
> specific web sites instead of alerts of xss vulns in specific software
> packages?
I think there are at least 2 reasons:
1. We have pretty good data about bugs in published software
making an announcement about them.
Regards,
Greg Knaddison, a member of the Drupal Security Team speaking my own behalf
--
Director Security Services
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
___
Full-Disclosure - We