[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

serendipity xss (CVE-2007-6205)



On Tuesday 11 December 2007 09:37, nion@alioth.debian.org wrote:
> Log:
> CVE-2007-6205 fixed in serendipity 1.2.1-1

>  CVE-2007-6205
>  	RESERVED
> +	- serendipity 1.2.1-1 (low)

This issue is: XSS through remote RSS feeds.

I would rate it as unimportant myself: it requires using this specific plugin, 
only with an OPML-format feed, and then the remote maintainer of that feed 
needs to be interested in getting your password, and will need to put 
malicious script into the url-parameter of that feed (breaking the feed for 
everyone else, so it's noticable and tracable who did it). To me this 
scenario sounds highly unlikely.

I propose to mark it as no-dsa for stable, and even to lower the severity to 
unimportant. Comments?


Thijs

Attachment: pgp6l8WXj1F3C.pgp
Description: PGP signature


Reply to: