serendipity xss (CVE-2007-6205)

To: debian-security-tracker@lists.debian.org
Subject: serendipity xss (CVE-2007-6205)
From: Thijs Kinkhorst <thijs@debian.org>
Date: Tue, 11 Dec 2007 11:50:25 +0100
Message-id: <[🔎] 200712111150.27567.thijs@debian.org>
In-reply-to: <E1J20ce-00028s-2Q@alioth.debian.org>
References: <E1J20ce-00028s-2Q@alioth.debian.org>

On Tuesday 11 December 2007 09:37, nion@alioth.debian.org wrote:
> Log:
> CVE-2007-6205 fixed in serendipity 1.2.1-1

>  CVE-2007-6205
>  	RESERVED
> +	- serendipity 1.2.1-1 (low)

This issue is: XSS through remote RSS feeds.

I would rate it as unimportant myself: it requires using this specific plugin, 
only with an OPML-format feed, and then the remote maintainer of that feed 
needs to be interested in getting your password, and will need to put 
malicious script into the url-parameter of that feed (breaking the feed for 
everyone else, so it's noticable and tracable who did it). To me this 
scenario sounds highly unlikely.

I propose to mark it as no-dsa for stable, and even to lower the severity to 
unimportant. Comments?

Thijs

Attachment: pgp07kuKmoUHR.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: serendipity xss (CVE-2007-6205)
  - From: Nico Golde <debian-security+ml@ngolde.de>
- Re: serendipity xss (CVE-2007-6205)
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: [Secure-testing-commits] r7545 - data/CVE
Next by Date: Re: serendipity xss (CVE-2007-6205)
Previous by thread: Re: [Secure-testing-commits] r7545 - data/CVE
Next by thread: Re: serendipity xss (CVE-2007-6205)
Index(es):
- Date
- Thread