Tickets :: Comment on [#14857] Multiple XSS security vulnerabilities

* Your Email Address
* Spam protection	Enter the letters below: .__ .___.\ /.__..__. [__) _/ >< \| \|\| \| \| ./__./ \\|__\\|__\
Comment	> Hi, > > first of all, thanks for the ping via email. It was a busy week. ;) > > Second: I found copy/paste of requests I used (from Burp on the other VM). > > To use them: update your cookie for valid one (you can use Burp) because > to exploit it you'll need to be an 'admin' anyway. > > Then, sqlmap should be good to reproduce (-r request.txt). > > As far as I remember 'display_errors' was enabled. > > One note to add: > I tried those requests (with display_err to On and Off) for version > 5.2.19 and .21 as well. > I could not reproduce those 'steps' (for mentioned versions) this > time - so it's a little surprise for me to be honest. ;) > > I did not yet check .22 version. > > As we spoke more privately: > because we can not reproduce it now - it could be a false positive. > But I think if it's just 'depend' on something we don't know now/yet - that > is still worth to investigate (from the source code 'perspective'). > > If I can help - let me know. > > Thank you for your time. > > Best regards, > Cody > > > > > >> I have asked the original reporter of CVE-2017-17781 to clarify the >> steps which are needed to produce a SQL injection. If a consensus >> cannot be reached or if he does not reply to this issue again, I will >> ask MITRE to review CVE-2017-17781. They might then either reject the >> issue or mark it as disputed. >
Attachment
Watch this ticket

Saved Queries