History of Vulnerability Report Status
In order to address the number of outstanding vulnerability reports visible on the network, it is intended that this page will list identified reports, provide links to them, and identify their current status. In a large number of cases, the reports are simply clones of one another and in many cases there is insufficient information to verify them, but often it is impossible to get the report updated to reflect the current status.
Bitweaver has the interesting problem of being able to install a sub-set of available facilities, and select tools and formats to be used, so while some reports may well be valid on one site, other sites may not have the same packages enabled. Sites configured only to allow tikiwiki syntax will not be affected by html vulnerabilities for instance. The first stopping place for assessing security is ((Security)) and any recommendations for improving a sites security should be documented there.
Why we need quite so many duplicate copies of these reports seems somewhat of a last of time, and where reports from 2006 are STILL marked as 'under review', perhaps these sites need to cull material that they do not want to manage? I suspect that we need to identify two or three original report sites and simply track them. CVE and it's copy at NVD seem to be the most comprehensive listing.
||Date|Site|Link to Report|Status|Notes
Undated 2006|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3103|CVE-2006-3103]| |Version 1.3 - superseded by Version 2
Undated 2007|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6374|CVE-2007-6374]| |((Multiple Cross-site Scripting Vulnerabilities))
Undated 2007|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6375|CVE-2007-6375]| |((SQL Injection Vulnerabilities))
Undated 2007|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6412|CVE-2007-6412]| |((Code Injection into content))
7th Dec 2007|HSC-Research|[http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-Bitweaver-Cross-Site-Scripting-amp-SQL-Injection-Vulnerability.html|Was 28129]|Fixed R2.1|[http://www.bitweaver.org/blogs/content/12274|Bitweaver Cross-Site Scripting]
9th Dec 2007|XForce|[osvdb.org/39129|39129]|Duplicate|see HSC 7th Dec 2007
9th Dec 2007|XForce|[osvdb.org/39130|39130]|Duplicate|see HSC 7th Dec 2007
9th Dec 2007|XForce|[http://xforce.iss.net/xforce/xfdb/38943|38943]|Fixed R2.1| |
10th Dec 2007|Secunia|[http://secunia.com/advisories/28024|28024]|Duplicate|Quoted original advisory no longer available - see HSC 7th Dec 2007
10th Dec 2007|securityfocus|[http://www.securityfocus.com/bid/26801|26801]|Duplicate|see HSC 7th Dec 2007
9th Dec 2007|osvdb|[http://www.securityfocus.com/bid/26801|26801]|Duplicate|see HSC 7th Dec 2007
11th Dec 2007|securityreason|[http://securityreason.com/securityalert/3428|3428]|Duplicate |see HSC 7th Dec 2007
11th Dec 2007|Vupen|[www.vupen.com/english/advisories/2007/4168|2007/4168]|Duplicate|see HSC 7th Dec 2007
30th Dec 2007|AmnPardaz|[http://www.milw0rm.com/exploits/4814|4814]| |Not sure file upload problem is valid?
| | | |
25th Sept 2008|Secunia|[http://secunia.com/advisories/32014|32014]|Fixed R2.1|((Multiple Cross-site Scripting Vulnerabilities))
25th Sept 2008|XForce|[http://xforce.iss.net/xforce/xfdb/45409|45409]|Fixed R2.1| |
28th Sept 2008|securityfocus|[http://www.securityfocus.com/bid/31395|31395]| |Nothing identified to test
Undated 2008|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4337|CVE-2008-4337]|Fixed R2.1|((Multiple Cross-site Scripting Vulnerabilities))
||
Outstanding search results
[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bitweaver|CVE] Listing 18 entries back to 2005 - mainly XSS
[http://secunia.com/advisories/search/?search=bitweaver|Secunia] Listing 7 entries sub set of CVE
[http://webapp.iss.net/Search.do?keyword=bitweaver&searchType=keywd&start=0|XForce (IBM ISS)] Listing 19 entries - not spotted the extra one over CVE
Bitweaver has the interesting problem of being able to install a sub-set of available facilities, and select tools and formats to be used, so while some reports may well be valid on one site, other sites may not have the same packages enabled. Sites configured only to allow tikiwiki syntax will not be affected by html vulnerabilities for instance. The first stopping place for assessing security is ((Security)) and any recommendations for improving a sites security should be documented there.
Why we need quite so many duplicate copies of these reports seems somewhat of a last of time, and where reports from 2006 are STILL marked as 'under review', perhaps these sites need to cull material that they do not want to manage? I suspect that we need to identify two or three original report sites and simply track them. CVE and it's copy at NVD seem to be the most comprehensive listing.
||Date|Site|Link to Report|Status|Notes
Undated 2006|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3103|CVE-2006-3103]| |Version 1.3 - superseded by Version 2
Undated 2007|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6374|CVE-2007-6374]| |((Multiple Cross-site Scripting Vulnerabilities))
Undated 2007|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6375|CVE-2007-6375]| |((SQL Injection Vulnerabilities))
Undated 2007|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6412|CVE-2007-6412]| |((Code Injection into content))
7th Dec 2007|HSC-Research|[http://www.hackerscenter.com/index.php?/HSC-Research-Group/Advisories/HSC-Bitweaver-Cross-Site-Scripting-amp-SQL-Injection-Vulnerability.html|Was 28129]|Fixed R2.1|[http://www.bitweaver.org/blogs/content/12274|Bitweaver Cross-Site Scripting]
9th Dec 2007|XForce|[osvdb.org/39129|39129]|Duplicate|see HSC 7th Dec 2007
9th Dec 2007|XForce|[osvdb.org/39130|39130]|Duplicate|see HSC 7th Dec 2007
9th Dec 2007|XForce|[http://xforce.iss.net/xforce/xfdb/38943|38943]|Fixed R2.1| |
10th Dec 2007|Secunia|[http://secunia.com/advisories/28024|28024]|Duplicate|Quoted original advisory no longer available - see HSC 7th Dec 2007
10th Dec 2007|securityfocus|[http://www.securityfocus.com/bid/26801|26801]|Duplicate|see HSC 7th Dec 2007
9th Dec 2007|osvdb|[http://www.securityfocus.com/bid/26801|26801]|Duplicate|see HSC 7th Dec 2007
11th Dec 2007|securityreason|[http://securityreason.com/securityalert/3428|3428]|Duplicate |see HSC 7th Dec 2007
11th Dec 2007|Vupen|[www.vupen.com/english/advisories/2007/4168|2007/4168]|Duplicate|see HSC 7th Dec 2007
30th Dec 2007|AmnPardaz|[http://www.milw0rm.com/exploits/4814|4814]| |Not sure file upload problem is valid?
| | | |
25th Sept 2008|Secunia|[http://secunia.com/advisories/32014|32014]|Fixed R2.1|((Multiple Cross-site Scripting Vulnerabilities))
25th Sept 2008|XForce|[http://xforce.iss.net/xforce/xfdb/45409|45409]|Fixed R2.1| |
28th Sept 2008|securityfocus|[http://www.securityfocus.com/bid/31395|31395]| |Nothing identified to test
Undated 2008|CVE|[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4337|CVE-2008-4337]|Fixed R2.1|((Multiple Cross-site Scripting Vulnerabilities))
||
Outstanding search results
[http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bitweaver|CVE] Listing 18 entries back to 2005 - mainly XSS
[http://secunia.com/advisories/search/?search=bitweaver|Secunia] Listing 7 entries sub set of CVE
[http://webapp.iss.net/Search.do?keyword=bitweaver&searchType=keywd&start=0|XForce (IBM ISS)] Listing 19 entries - not spotted the extra one over CVE