[VIM] vendor dispute of CVE-2005-3066 (fwd)
Steven M. Christey
coley at linus.mitre.org
Wed Nov 2 16:11:04 EST 2005
Note that the nature of their dispute is based on stored XSS (e.g.
injection of HTML into static pages or databases). Their dispute does not
mention reflected XSS (i.e. having a user click on a link which then
causes the XSS to be reflected back to the user), so to my way of
thinking, this might be an erroneous dispute. I have asked them for
---------- Forwarded message ----------
Date: Wed, 2 Nov 2005 14:43:51 -0600
From: ScriptSolutions <djm at scriptsolutions.com>
To: cve at mitre.org
I am the programmer of PerlDiver, the program which is referenced as a
"candidate" on your site
Please note that PerlDiver has never stored user input from the
browser, much less returned that stored data to other users -- actions
crucial to the exploitation of XSS vulnerabilities. As such,
PerlDiver is incapable of being exploited in this manner.
We consider exploitlabs to be irresponsible and malicious in their
reporting of a completely harmless omission. We respectfully request
that you remove the advisory from your sites as well as reconsider the
importance of any future exploitlabs submission before permitting
their trivial findings to slander reputable companies.
You may see the details of our response to exploitlabs at
Thank you for your consideration.
More information about the VIM