09.04.2012 13:53, Funda Wang skrev: > ping? > > 在 2012年4月9日星期一,Funda Wang <[email protected] > <mailto:[email protected]>> 写道: >> ping? >> >> 2012/4/8 Funda Wang <[email protected] <mailto:[email protected]>>: >>> Hello, >>> >>> Could somebody pushing redmine 1.3.2 into cauldron? >>> >>> Redmine before 1.3.2 does not properly restrict the use of a hash to >>> provide values for a model's attributes, which allows remote attackers >>> to set attributes in the (1) Comment, (2) Document, (3) IssueCategory, >>> (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8) >>> Version, (9) Wiki, (10) UserPreference, or (11) Board model via a >>> modified URL, related to a "mass assignment" vulnerability, a >>> different vulnerability than CVE-2012-0327. >>> >>> Thanks. >>
Pushed. -- Thomas
