Just browsing the results of a search to "xss severity" on Google, at a first glance most people seem to rate XSS exploits as "high", which would map to "Important" in MS speech.
Am Di, 4.03.2008, 10:39, schrieb Don Brown: > Well, this was the first hit on google: > http://www.microsoft.com/technet/security/bulletin/rating.mspx > > Therefore, I'd say Moderate to Important. > > Don > > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >> Yes, sounds good to me. How about the criticality rating in the >> bulletin? "Critical" was - I have to admit :) - just copied from 001, >> what would be a fitting rating here? >> >> Don Brown schrieb: >> >> > What about: >> > >> > * All developers are strongly advised to update Struts 2 applications >> > to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags. >> > >> > In this way, we aren't quite so "in-your-face" and a quick summary of >> > the issue and what part of Struts 2 is affected is included. The >> > qualifier is probably important as not all apps use the affected >> > Struts 2 tags and since the release just includes that one fix, it is >> > valuable to specify exactly what has been fixed. >> > >> > Still, these are all minor things - the important thing is that you >> > got this release out so quickly and for that, we are all very >> grateful >> > :) >> > >> > Don >> > >> > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >> >> Agreed. How should we put it better? >> >> >> >> Don Brown schrieb: >> >> >> >>> Good point. This pales in comparison to, say, the OGNL remote code >> >> > exploit. XSS exploits, while important, just aren't anywhere >> near as >> >> > big of deal. >> >> > >> >> > Don >> >> > >> >> > On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans >> >> > <[EMAIL PROTECTED]> wrote: >> >> >> My opinion is that the criticality is overstated. >> >> >> However it is useful to draw attention to the vulnerability. >> >> >> >> >> >> >> >> >> >> >> >> Don Brown wrote: >> >> >> > Looks good. Thanks for creating a security bulletin as well. >> >> >> > >> >> >> > Don >> >> >> > >> >> >> > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >> >> >> > >> >> >> >> The release has been submitted for mirroring. Here's a draft >> >> >> >> announcement that we could post tomorrow morning, including >> a link to a >> >> >> >> corresponding security bulletin announcement in the wiki. >> Comments and >> >> >> >> corrections to both texts are highly appreciated. >> >> >> >> >> >> >> >> ---- >> >> >> >> >> >> >> >> Apache Struts 2.0.11.1 is now available from >> >> >> >> <http://struts.apache.org/download.cgi#struts20111>. >> >> >> >> >> >> >> >> This release is a fast track security fix release, >> including important >> >> >> >> security fixes regarding possible cross site scripting >> exploits. For >> >> >> >> more information about the exploits, visit our security >> bulletins page at >> >> >> >> <http://cwiki.apache.org/confluence/display/WW/S2-002>. >> >> >> >> >> >> >> >> * ALL DEVELOPERS ARE STRONGLY ADVISED TO UPDATE TO STRUTS >> 2.0.11.1 >> >> >> >> IMMEDIATELY! >> >> >> >> >> >> >> >> For the complete release notes for Struts 2.0.11.1, see >> >> >> >> >> <http://cwiki.apache.org/confluence/display/WW/Release+Notes+2.0.11.1>. >> >> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> --------------------------------------------------------------------- >> >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> >> >> > >> >> > --------------------------------------------------------------------- >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> >> > >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Rene Gielen | http://it-neering.net/ Aachen | PGP-ID: BECB785A Germany | gielen at it-neering.net --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
