[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: serendipity xss (CVE-2007-6205)

On Tue, Dec 11, 2007 at 11:50:25AM +0100, Thijs Kinkhorst wrote:
> On Tuesday 11 December 2007 09:37, nion@alioth.debian.org wrote:
> > Log:
> > CVE-2007-6205 fixed in serendipity 1.2.1-1
> >  CVE-2007-6205
> > +	- serendipity 1.2.1-1 (low)
> This issue is: XSS through remote RSS feeds.
> I would rate it as unimportant myself: it requires using this specific plugin, 
> only with an OPML-format feed, and then the remote maintainer of that feed 
> needs to be interested in getting your password, and will need to put 
> malicious script into the url-parameter of that feed (breaking the feed for 
> everyone else, so it's noticable and tracable who did it). To me this 
> scenario sounds highly unlikely.
> I propose to mark it as no-dsa for stable, and even to lower the severity to 
> unimportant. Comments?

no-dsa should be fine I guess.


Reply to: