Re: serendipity xss (CVE-2007-6205)
On Tue, Dec 11, 2007 at 11:50:25AM +0100, Thijs Kinkhorst wrote:
> On Tuesday 11 December 2007 09:37, firstname.lastname@example.org wrote:
> > Log:
> > CVE-2007-6205 fixed in serendipity 1.2.1-1
> > CVE-2007-6205
> > RESERVED
> > + - serendipity 1.2.1-1 (low)
> This issue is: XSS through remote RSS feeds.
> I would rate it as unimportant myself: it requires using this specific plugin,
> only with an OPML-format feed, and then the remote maintainer of that feed
> needs to be interested in getting your password, and will need to put
> malicious script into the url-parameter of that feed (breaking the feed for
> everyone else, so it's noticable and tracable who did it). To me this
> scenario sounds highly unlikely.
> I propose to mark it as no-dsa for stable, and even to lower the severity to
> unimportant. Comments?
no-dsa should be fine I guess.