Hi Dan, hi Marina, On Sun, Jan 15, 2017 at 09:31:05AM +0000, Dan Poltawski wrote: > Hi, > > > > please see https://packetstormsecurity.com/files/139466/Moodle-CMS-3. > 1.2-Cross-Site-Scripting-File-Upload.html > > JFTR, regarding this one: I tried some weeks ago to contact Marina > > Glancy to get more information abouth those CVEs from upstream point > > of view, but got not reply unfortunately. Cc'ing for this bug as well > > (Upstream here with Marina) we have not reported on these 'security issues' > because do not believe any are security concerns. We replied to the > original reporter explaining this/asking for clarification, they published > them as 'exploits' despite this and (as far as i'm aware) didn't respond to > our requests for clarification. This puts us in a difficult situation. > > The s_additionalhtmlhead setting is controlled with our RISK_XSS flag, the > 'add these tags' issue only seems to providing XSS to the user themselves > (in the same way as a web inspector would do) and the others we do not > understand the exploit. If there is something we are missing we would > appreciate the bug created on https://tracker.moodle.org > > Note that new security releases (and CVE's) have just been published and > will be published on https://moodle.org/security/ shortly.
Thanks a lot for your feedback, this very much appreciated. According to the above I have added a note to our CVE entries in the security-tracker at https://security-tracker.debian.org/tracker/851405 to mention the above. Maybe those CVE might need to be rejected then in case it turns out that the reports were invalid regarding beeing a security issue. I will look forward for the new CVEs and add them later to our tracking. > cheers and thanks for your work, Thanks, and the same 'thank you' to you! Regards, Salvatore
