Page 1 of 1
CVE-2018-10086
Posted: Wed Jun 20, 2018 9:08 am
by anthon
What is the status on this?
Cheers, Christian.
Re: CVE-2018-10086
Posted: Mon Jun 25, 2018 8:56 am
by velden
The description is rather vague and I don't see how it can be a vulnerability.
Note that in general we don't consider it a vulnerability when an admin user can do admin things.
Please let me know if I'm missing something obvious.
Re: CVE-2018-10086
Posted: Wed Jun 27, 2018 9:29 am
by anthon
I'm probably not the right person to judge the implications. But if the vulnerabilities are only applicable to logged in users in the admin or designer groups, I also fail to see the problem. Since these users will already be allowed execute more or less arbitrary php code through other means.
Thanks for the answer.
Re: CVE-2018-10086
Posted: Wed Jun 27, 2018 4:30 pm
by velden
anthon wrote:I'm probably not the right person to judge the implications. But if the vulnerabilities are only applicable to logged in users in the admin or designer groups, I also fail to see the problem. Since these users will already be allowed execute more or less arbitrary php code through other means.
Thanks for the answer.
That's exactly what we understand from it too.
It's a pity those reports popup regularly but we don't have time to reply to every one of them (the 'invalid' ones I mean).
However, if you think we might have missed an important vulnerability it's ok to ask about it of course.
Re: CVE-2018-10086
Posted: Wed Jul 11, 2018 3:48 pm
by creopard
The different CVEs read rather nicely:
https://github.com/itodaro/cve/blob/master/README.md
You should at least consider adding the suggested fixes.
They are probably not really severe, but it would round up the upcoming version 2.3 just nicely
