[Mageia-dev] Freeze push: redmine 1.3.2
Funda Wang
fundawang at gmail.com
Mon Apr 9 12:53:38 CEST 2012
ping?
在 2012年4月9日星期一,Funda Wang <fundawang at gmail.com> 写道:
> ping?
>
> 2012/4/8 Funda Wang <fundawang at gmail.com>:
>> Hello,
>>
>> Could somebody pushing redmine 1.3.2 into cauldron?
>>
>> Redmine before 1.3.2 does not properly restrict the use of a hash to
>> provide values for a model's attributes, which allows remote attackers
>> to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
>> (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
>> Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
>> modified URL, related to a "mass assignment" vulnerability, a
>> different vulnerability than CVE-2012-0327.
>>
>> Thanks.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/mageia-dev/attachments/20120409/ea181ca7/attachment.html>
More information about the Mageia-dev
mailing list