[Git][security-tracker-team/security-tracker][master] Investigation information for pluxml. Questioning that this is vulnerabilities to fix.

Ola Lundqvist opal at debian.org
Wed Dec 16 06:48:16 GMT 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2ac1ebe5 by Ola Lundqvist at 2020-12-16T07:48:03+01:00
Investigation information for pluxml. Questioning that this is vulnerabilities to fix.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30380,9 +30380,13 @@ CVE-2020-18186
 CVE-2020-18185 (class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrar ...)
 	- pluxml <unfixed> (bug #973382)
 	NOTE: https://github.com/pluxml/PluXml/issues/321
+	NOTE: The attack vector is a little unusual but it would be quite expected that
+	NOTE: the admin can execute arbitrary php code.
 CVE-2020-18184 (In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametres_ ...)
 	- pluxml <unfixed> (bug #973382)
 	NOTE: https://github.com/pluxml/PluXml/issues/320
+	NOTE: One could question whether this is a vulnerability at all. The
+	NOTE: developer documentation describes this as expected behavior.
 CVE-2020-18183
 	RESERVED
 CVE-2020-18182


=====================================
data/dla-needed.txt
=====================================
@@ -130,6 +130,9 @@ php-horde-trean
 --
 pluxml
   NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
+  NOTE: 20201216: Questionable if two of the CVEs should be considered important enough to fix.
+  NOTE: 20201216: One of the issues does not even seem to expected behavior.
+  NOTE: 20201216: Email requesting for advice sent to LTS list. (ola)
 --
 reel
   NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ac1ebe5237b43eba856af32bcdc5066e4964ecb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ac1ebe5237b43eba856af32bcdc5066e4964ecb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201216/ebe148b7/attachment.html>

More information about the debian-security-tracker-commits mailing list