Re: serendipity xss (CVE-2007-6205)

To: Thijs Kinkhorst <thijs@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: serendipity xss (CVE-2007-6205)
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 12 Dec 2007 01:13:42 +0100
Message-id: <[🔎] 20071212001342.GA10013@galadriel.inutil.org>
In-reply-to: <[🔎] 200712111150.27567.thijs@debian.org>
References: <E1J20ce-00028s-2Q@alioth.debian.org> <[🔎] 200712111150.27567.thijs@debian.org>

On Tue, Dec 11, 2007 at 11:50:25AM +0100, Thijs Kinkhorst wrote:
> On Tuesday 11 December 2007 09:37, nion@alioth.debian.org wrote:
> > Log:
> > CVE-2007-6205 fixed in serendipity 1.2.1-1
> 
> >  CVE-2007-6205
> >  	RESERVED
> > +	- serendipity 1.2.1-1 (low)
> 
> This issue is: XSS through remote RSS feeds.
> 
> I would rate it as unimportant myself: it requires using this specific plugin, 
> only with an OPML-format feed, and then the remote maintainer of that feed 
> needs to be interested in getting your password, and will need to put 
> malicious script into the url-parameter of that feed (breaking the feed for 
> everyone else, so it's noticable and tracable who did it). To me this 
> scenario sounds highly unlikely.
> 
> I propose to mark it as no-dsa for stable, and even to lower the severity to 
> unimportant. Comments?

no-dsa should be fine I guess.

Cheers,
        Moritz

Reply to:

References:
- serendipity xss (CVE-2007-6205)
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Re: serendipity xss (CVE-2007-6205)
Next by Date: spackle
Previous by thread: Re: serendipity xss (CVE-2007-6205)
Next by thread: spackle
Index(es):
- Date
- Thread