Re: [oss-security] CVE request: phpbb 3.0.7 and before 3.0.5

On Tue, 18 May 2010, Josh Bressers wrote:

>> # [Sec] Only use forum id supplied for posting if global announcement
>> detected. (Reported by nickvergessen)
>>
>
> I don't understand what this means. Do you have more information?

I don't know what it means either. Another part of daily life in CVE.
However, the announcement comes from the vendor so we will ultimately call
it an unspecified vuln with unknown impact and attack vectors related to
"forum id" and "global announcement" or some equally useless description.

So this could use a CVE, too. At worst it's a signal to consumers that
they need to patch, even if the developer isn't clearly explaining why.

Not much different than your typical Linux kernel bug, actually :-/

- Steve

• This message: [ Message body ]
• Next message: Dan Rosenberg: "Re: [oss-security] kernel: btrfs: check for read permission on src file in the clone ioctl"
• Previous message: Steven M. Christey: "Re: [oss-security] CVE request: phorum < 5.2.15 backend XSS"
• In reply to: Josh Bressers: "Re: [oss-security] CVE request: phpbb 3.0.7 and before 3.0.5"
• Next in thread: Josh Bressers: "Re: [oss-security] CVE request: phpbb 3.0.7 and before 3.0.5"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]