History of Vulnerability Report Status
Version 2 | Current version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
In order to address the number of outstanding vulnerability reports visible on the network, it is intended that this page will list identified reports, provide links to them, and identify their current status. In a large number of cases, the reports are simply clones of one another and in many cases there is insufficient information to verify them, but often it is impossible to get the report updated to reflect the current status. Bitweaver has the interesting problem of being able to install a sub-set of available facilities, and select tools and formats to be used, so while some reports may well be valid on one site, other sites may not have the same packages enabled. Sites configured only to allow tikiwiki syntax will not be affected by html vulnerabilities for instance. The first stopping place for assessing security is Security and any recommendations for improving a sites security should be documented there. Why we need quite so many duplicate copies of these reports seems somewhat of a last of time, and where reports from 2006 are STILL marked as 'under review', perhaps these sites need to cull material that they do not want to manage? I suspect that we need to identify two or three original report sites and simply track them. CVE and it's copy at NVD seem to be the most comprehensive listing.
Outstanding search results CVE Listing 18 entries back to 2005 - mainly XSS Secunia Listing 7 entries sub set of CVE XForce (IBM ISS) Listing 19 entries - not spotted the extra one over CVE | This page lists vulnerability reports – concerning the security of the Bitweaver application – posted on websites other than bitweaver.org, in order to address and to discuss outstanding issues, and to identify their current status. During and after the installation of Bitweaver, a user chooses to activate a sub-set of all available packages, modules, features, input formats, etc. A report on a security issues might be based on an unattended install, before the security recommendations were considered. A site with different settings may not be affected. As an example, a site configured to restrict input of data to wiki syntax will not be affected by HTML vulnerabilities. Identifying and discussing these reports is necessary, because they might have one or all of the following problems:
List of reports
Report: Multiple XSSThe report named Multiple Cross-site Scripting Vulnerabilities has been duplicated across several sites, some of which do not list the concerned pages. The Secunia report has a list of pages that can be tested. In current versions of Bitweaver, these security issues have been fixed. They are all now handled correctly. For the original report, see Secunia Advisory: SA32014To test if an install is compromised by the exploit, the string
Further search resultsCVE Listing 18 entries back to 2005, mainly XSSSecunia Listing 7 entries sub set of CVE XForce (IBM ISS) Listing 19 entries - not spotted the extra one over CVE |