[VIM] Revisiting The Past
Steven M. Christey
coley at linus.mitre.org
Wed Aug 9 16:15:12 EDT 2006
My gut reaction is that this was a dupe/rediscovery that wasn't caught due
to different spellings of "ProductCart" and "Product Cart" (though we
should have caught it on the script or parameter name...) These days, I
would update the original CVE to mention the new version that is also
affected.
I hate duplicates due to alternate spellings :( In CVE, we don't have a
normalized vendor or product name field, which might make this issue worse
- or do other DBs have the same problem?
- Steve
On Wed, 9 Aug 2006, George A. Theall wrote:
> Can anyone tell me the difference between:
>
> http://echo.or.id/adv/adv16-theday-2005.txt (the 1st SQL injection)
> http://archives.neohapsis.com/archives/bugtraq/2005-07/0521.html
>
> The first seems to be reflected in CVE-2005-1967, and OSVDB 17329; the
> latter in CVE-2005-2445, OSVDB 18508. And to further muddy things, BID
> 13881 credits Dedi Dwianto but provides a reference to Dcrab's advisory.
>
> Unless I'm missing something, both appear to cover the same app /
> version / script / parameter / issue. [NB: Bugtraq and OSVDB do say
> Product Cart 2.7 is affected, but Dwianto's advisory states "version : <
> 2.7", at least as I look at it right now.]
>
> George
> --
> theall at tenablesecurity.com
>
More information about the VIM
mailing list