Hi LTS team I have checked two of the pluxml issues CVE-2020-18184 This vulnerability is questioned upstream. The "vulnerability" is that a user that can edit themes can update a template that allow that user to execute arbitrary code. However the complaint is that there are plenty of documentation telling the user that this functionality should exist. I would say that it is quite expected that a theme admin user can do this. The question is how this should be marked: - no-dsa minor issue? - ignored? I may have missed something since this package was added to DLA needed.
CVE-2020-18185 This vulnerability is questionable. The vulnerability is that an admin user can edit a configuration file and by that execute arbitrary code. I would say that this is intended behavior even though the attack vector is a little unusual and indicates that there is a fault somewhere. Upstream seems to confirm that there is a vulnerability but not very high. I find it rather unlikely that upstream will publish any update on this in a quick manner. The question is how this should be marked. - no-dsa minor issue? - postponed? Keep it as is and wait to see if something happens? Should we have a special file for monitoring issues that may get resolved eventually? Just to not make the dla-needed file cluttered with this kind of monitor for eventual fixes? Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | [email protected] [email protected] | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
