Dotclear

Ticket #2224 (closed defect: fixed)

Opened 7 years ago

Last modified 7 years ago

Security vulnerability in Dotclear version 2.10.4

Reported by: smarterbitbybit Owned by: team
Priority: highest Milestone: 2.11
Component: module:core Version: 2.10.4
Severity: critical Keywords: security vulnerability
Cc:

Description

I need a working email address to send the report to.

Change History

comment:1 Changed 7 years ago by franck

Hi,

You can send every security report to the following address: security@…

comment:2 Changed 7 years ago by smarterbitbybit

May I know what is the email? It cuts off at security@... I have tried emailing to security@… / contact@… / contact@… but none of them is working.

comment:3 Changed 7 years ago by smarterbitbybit

Apparently, the commenting system removes the domain after the @ sign.

Any idea how you can pass me a working email?

comment:4 Changed 7 years ago by noe

security[@]dotclear.net works. We regularily receive messages there.

comment:5 Changed 7 years ago by smarterbitbybit

Hi Noe,

Outlook was unable to send the mail as it was unable to connect to your mail server. I have now gotten into contact with Franck and has sent the report over.

Thanks.

comment:6 Changed 7 years ago by franck <carnet.franck.paul@…>

  • Status changed from new to closed
  • Resolution set to fixed

(In [5536ac77e915]) Prevents XSS injection in media title, closes #2224, thanks smarterbitbybit for report

comment:7 Changed 7 years ago by franck

  • Milestone changed from A definir to 2.11
Note: See TracTickets for help on using tickets.

Sites map