ping?

2012/4/8 Funda Wang <[email protected]>:
> Hello,
>
> Could somebody pushing redmine 1.3.2 into cauldron?
>
> Redmine before 1.3.2 does not properly restrict the use of a hash to
> provide values for a model's attributes, which allows remote attackers
> to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
> (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
> Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
> modified URL, related to a "mass assignment" vulnerability, a
> different vulnerability than CVE-2012-0327.
>
> Thanks.

Reply via email to