| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130302171734.GB2360@kludge.henri.nerv.fi> Date: Sat, 2 Mar 2013 19:17:34 +0200 From: Henri Salo <henri@...v.fi> To: MustLive <mustlive@...security.com.ua> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS On Fri, Mar 01, 2013 at 11:50:00PM +0200, MustLive wrote: > I'm resending my letter from February 23, 2013 (since FD was not working > that day). > > After my previous list of vulnerable software with ZeroClipboard.swf, here > is a list of software with ZeroClipboard10.swf. These are Cross-Site > Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django > and aCMS. > > Earlier I've wrote about Cross-Site Scripting vulnerabilities in > ZeroClipboard (http://seclists.org/fulldisclosure/2013/Feb/103). I wrote > that this is very widespread flash-file and it's placed at tens of thousands > of web sites. And it's used in hundreds of web applications. Among them are > em-shorty, RepRapCalculator, Fulcrum (CMS), Django and aCMS. And there are > many other vulnerable web applications with ZeroClipboard10.swf (some of > them also contain ZeroClipboard.swf). So did you report this vulnerability to those projects? Even to security@ or similar address? I noticed this vulnerability from WordPress plugins. Did you report those? Did you ask CVE identifiers? -- Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists