[Git][security-tracker-team/security-tracker][master] Tagged two CVEs as unimportant for pluxml after asking for advice on how it...

Ola Lundqvist opal at debian.org
Thu Dec 17 06:00:25 GMT 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
236dceac by Ola Lundqvist at 2020-12-17T06:59:54+01:00
Tagged two CVEs as unimportant for pluxml after asking for advice on how it should be handled. The reason is that you have to be admin to trigger it and admin can anyway run any php code.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -30401,12 +30401,12 @@ CVE-2020-18187
 CVE-2020-18186
 	RESERVED
 CVE-2020-18185 (class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrar ...)
-	- pluxml <unfixed> (bug #973382)
+	- pluxml <unfixed> (unimportant; bug #973382)
 	NOTE: https://github.com/pluxml/PluXml/issues/321
 	NOTE: The attack vector is a little unusual but it would be quite expected that
 	NOTE: the admin can execute arbitrary php code.
 CVE-2020-18184 (In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametres_ ...)
-	- pluxml <unfixed> (bug #973382)
+	- pluxml <unfixed> (unimportant; bug #973382)
 	NOTE: https://github.com/pluxml/PluXml/issues/320
 	NOTE: One could question whether this is a vulnerability at all. The
 	NOTE: developer documentation describes this as expected behavior.


=====================================
data/dla-needed.txt
=====================================
@@ -126,12 +126,6 @@ php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
 --
-pluxml
-  NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
-  NOTE: 20201216: Questionable if two of the CVEs should be considered important enough to fix.
-  NOTE: 20201216: One of the issues does not even seem to expected behavior.
-  NOTE: 20201216: Email requesting for advice sent to LTS list. (ola)
---
 reel
   NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/236dceac27d54407d1198aa9fca1a98fa8f2585c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/236dceac27d54407d1198aa9fca1a98fa8f2585c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201217/07db446a/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list