[Git][security-tracker-team/security-tracker][master] Investigation information for pluxml. Questioning that this is vulnerabilities to fix.

Ola Lundqvist Tue, 15 Dec 2020 22:48:25 -0800


Ola Lundqvist pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
2ac1ebe5 by Ola Lundqvist at 2020-12-16T07:48:03+01:00
Investigation information for pluxml. Questioning that this is vulnerabilities 
to fix.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30380,9 +30380,13 @@ CVE-2020-18186
 CVE-2020-18185 (class.plx.admin.php in PluXml 5.7 allows attackers to execute 
arbitrar ...)
        - pluxml <unfixed> (bug #973382)
        NOTE: https://github.com/pluxml/PluXml/issues/321
+       NOTE: The attack vector is a little unusual but it would be quite 
expected that
+       NOTE: the admin can execute arbitrary php code.
 CVE-2020-18184 (In PluxXml V5.7,the theme edit function 
/PluXml/core/admin/parametres_ ...)
        - pluxml <unfixed> (bug #973382)
        NOTE: https://github.com/pluxml/PluXml/issues/320
+       NOTE: One could question whether this is a vulnerability at all. The
+       NOTE: developer documentation describes this as expected behavior.
 CVE-2020-18183
        RESERVED
 CVE-2020-18182


=====================================
data/dla-needed.txt
=====================================
@@ -130,6 +130,9 @@ php-horde-trean
 --
 pluxml
   NOTE: 20201011: issue is still open upstream. Also low priority for us 
(abhijith)
+  NOTE: 20201216: Questionable if two of the CVEs should be considered 
important enough to fix.
+  NOTE: 20201216: One of the issues does not even seem to expected behavior.
+  NOTE: 20201216: Email requesting for advice sent to LTS list. (ola)
 --
 reel
   NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ac1ebe5237b43eba856af32bcdc5066e4964ecb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ac1ebe5237b43eba856af32bcdc5066e4964ecb
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Investigation information for pluxml. Questioning that this is vulnerabilities to fix.

Reply via email to