Security question about 2.2.5 release
Posted: Mon Dec 18, 2017 6:07 pm
Hi Team,
Recently, MITRE assigned two CVE IDs for issues related to the 2.2.5 release [1] [2]. The first, CVE-2017-17734 [3] is simply described as "CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions." The second, CVE-2017-17735 [4] is described as "CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies."
Given the wording of your release announcement [1], it isn't obvious if these fixed true vulnerabilities or were defense-in-depth enhancements. Can you clarify which they are?
Thanks,
Brian
[1] viewtopic.php?f=1&t=77737
[2] https://www.cmsmadesimple.org/2017/12/A ... 2.2.5-Wawa
[3] http://cve.mitre.org/cgi-bin/cvename.cg ... 2017-17734
[4] http://cve.mitre.org/cgi-bin/cvename.cg ... 2017-17735
p.s. https://www.cmsmadesimple.org/support/options/ has an HTML typo so (TM) is not rendering: "Although CMS Made Simple&tm; is freely"
Recently, MITRE assigned two CVE IDs for issues related to the 2.2.5 release [1] [2]. The first, CVE-2017-17734 [3] is simply described as "CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions." The second, CVE-2017-17735 [4] is described as "CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies."
Given the wording of your release announcement [1], it isn't obvious if these fixed true vulnerabilities or were defense-in-depth enhancements. Can you clarify which they are?
Thanks,
Brian
[1] viewtopic.php?f=1&t=77737
[2] https://www.cmsmadesimple.org/2017/12/A ... 2.2.5-Wawa
[3] http://cve.mitre.org/cgi-bin/cvename.cg ... 2017-17734
[4] http://cve.mitre.org/cgi-bin/cvename.cg ... 2017-17735
p.s. https://www.cmsmadesimple.org/support/options/ has an HTML typo so (TM) is not rendering: "Although CMS Made Simple&tm; is freely"