Hi, > > please see https://packetstormsecurity.com/files/139466/Moodle-CMS-3. 1.2-Cross-Site-Scripting-File-Upload.html > JFTR, regarding this one: I tried some weeks ago to contact Marina > Glancy to get more information abouth those CVEs from upstream point > of view, but got not reply unfortunately. Cc'ing for this bug as well
(Upstream here with Marina) we have not reported on these 'security issues' because do not believe any are security concerns. We replied to the original reporter explaining this/asking for clarification, they published them as 'exploits' despite this and (as far as i'm aware) didn't respond to our requests for clarification. This puts us in a difficult situation. The s_additionalhtmlhead setting is controlled with our RISK_XSS flag, the 'add these tags' issue only seems to providing XSS to the user themselves (in the same way as a web inspector would do) and the others we do not understand the exploit. If there is something we are missing we would appreciate the bug created on https://tracker.moodle.org Note that new security releases (and CVE's) have just been published and will be published on https://moodle.org/security/ shortly. cheers and thanks for your work, Dan On 14 January 2017 at 16:16, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Moritz, hi Joost > On Sat, Jan 14, 2017 at 04:51:53PM +0100, Moritz Muehlenhoff wrote: > > Package: moodle > > Severity: important > > Tags: security > > > > Hi, > > please see https://packetstormsecurity.com/files/139466/Moodle-CMS-3. > 1.2-Cross-Site-Scripting-File-Upload.html > > JFTR, regarding this one: I tried some weeks ago to contact Marina > Glancy to get more information abouth those CVEs from upstream point > of view, but got not reply unfortunately. Cc'ing for this bug as well. > > Regards, > Salvatore > > _______________________________________________ > Pkg-moodle-maintainers mailing list > pkg-moodle-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/ > pkg-moodle-maintainers >
