Hi LTS team
I have checked two of the pluxml issues
CVE-2020-18184
This vulnerability is questioned upstream. The "vulnerability" is that a user that can edit themes can update a template that allow that user to execute arbitrary code. However the complaint is that there are plenty of documentation telling the user that this functionality should exist. I would say that it is quite expected that a theme admin user can do this.
The question is how this should be marked:
- no-dsa minor issue?
- ignored?
I may have missed something since this package was added to DLA needed.
CVE-2020-18185
This vulnerability is questionable. The vulnerability is that an admin user can edit a configuration file and by that execute arbitrary code. I would say that this is intended behavior even though the attack vector is a little unusual and indicates that there is a fault somewhere. Upstream seems to confirm that there is a vulnerability but not very high. I find it rather unlikely that upstream will publish any update on this in a quick manner.
The question is how this should be marked.
- no-dsa minor issue?
- postponed?
Keep it as is and wait to see if something happens?
Should we have a special file for monitoring issues that may get resolved eventually? Just to not make the dla-needed file cluttered with this kind of monitor for eventual fixes?
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
---------------------------------------------------------------