[VIM] BID 48170 Confusion
George A. Theall
theall at tenable.com
Thu Jun 9 14:22:10 CDT 2011
On Jun 9, 2011, at 2:50 PM, rkeith wrote:
> BID 48170 was based off of the following:
>
> http://permalink.gmane.org/gmane.comp.security.oss.general/5223
>
> We suspected it might have been related to 45600, but couldn't tie
> the two together.
FYI, here's a forum posting that seems to provide more details about
the issue(s) addressed in 1.4.27:
http://forum.coppermine-gallery.net/index.php/topic,64734.0.html
Note there are also some command injection issues mentioned in that
thread that I haven't seen in Bugtraq / CVE / OSVDB yet.
> -Rob
>
> On 06/08/2011 07:14 PM, George A. Theall wrote:
>> I'm confused by BID 48170. The discussion says there's an
>> unspecified XSS vulnerability in Coppermine Photo Gallery and that
>> versions before 1.4.27
>> and 1.5.12 are affected.
>>
>> The 1.4.27 release announcement referenced in the BID shows it was
>> published in May 20th, 2010 and credits Ilja van Sprundel for
>> discovering the
>> vulnerability.
>>
>> The 1.5.12 release announcement referenced in the BID shows it was
>> published in January 2nd, 2011 and credits Janek Vind.
>>
>> Are these really referring to the same issue? Rob?
>>
>> Also for what it's worth, BID 45600 concerns a set of XSS
>> vulnerabilities reported by Janek Vind at the very end of 2010 in
>> Coppermine 1.5.10.
>> SecurityFocus doesn't have any info on a fix, but Secunia in
>> SA42751 reports the issues were addressed in 1.5.12.
>>
>> George
>
>
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list