lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAKD6+R5aL8M+1J4tp5TyL-Xox-3ZVw5nVZUC2YVM6PQA7j09fQ@mail.gmail.com>
Date: Mon, 7 Jan 2019 09:43:02 +0100
From: Daniel Bishtawi <daniel@...sparker.com>
To: Henri Salo <henri@...v.fi>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Reflected Cross-site Scripting Vulnerability in Microweber
	1.0.8

Hi Henri,

There was no response after the details had been sent to
peter@...roweber.com as requested by Microweber (info@...roweber.com).
They did not follow up with an update on the status of the fix once the
technical details has been sent, as requested and did not respond when we
tried to contact them. This is case closed from our point of view as the
technical details had been sent in April for a older version.

Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Tel: +44 (0)20 3588 3843
Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn
<https://www.linkedin.com/company/netsparker-ltd> | Facebook
<https://facebook.com/netsparker>


On Sat, Jan 5, 2019 at 1:32 PM Henri Salo <henri@...v.fi> wrote:

> On Thu, Jan 03, 2019 at 10:45:36AM +0100, Daniel Bishtawi wrote:
> > We are glad to inform you about the vulnerabilities we reported in
> > Microweber 1.0.8.
> > Affected Versions: 1.0.8
> > Homepage: https://github.com/microweber/microweber
> > Status: Not Fixed
> > CVE-ID: CVE-2018-19917
> > Netsparker Advisory Reference: NS-18-038
>
> >
> https://www.netsparker.com/web-applications-advisories/ns-18-038-reflected-cross-site-scripting-in-microweber/
> > 13th April 2018- First Contact
> > 14th April 2018 - Technical Details Sent
> > 28th June 2018 - Attempted to Contact
> > 3rd January 2019 - Advisory Released
>
> How did you contact vendor? Are you sure that they didn't fix this?  Latest
> version is 1.1.2 according to https://microweber.com/download. Do you
> plan to
> follow-up on this or is this case closed from your point of view?
>
> --
> Henri Salo
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists