XStream 1.4.16 version have Remote Code execute Security Bugs
78 views
Skip to first unread message
Lai Han of nsfocus security team
May 14, 2021, 12:45:25 AM5/14/21
to XStream User
Hello,
I also found a new gadget which bypassed the default blacklist, and want to report this issue to XStream. How can i report this issue's detail?
Jörg Schaible
May 14, 2021, 9:16:58 AM5/14/21
to XStream User, Lai Han of nsfocus security team
Hi
On Friday, 14. May 2021, 06:45:24 CEST schrieb Lai Han of nsfocus security
team:
Regards,
Jörg
On Friday, 14. May 2021, 06:45:24 CEST schrieb Lai Han of nsfocus security
team:
> Hello,
> I also found a new gadget which bypassed the default blacklist, and want to
> report this issue to XStream. How can i report this issue's detail?
Can you check it against the new release of XStream 1.4.17?
> I also found a new gadget which bypassed the default blacklist, and want to
> report this issue to XStream. How can i report this issue's detail?
Regards,
Jörg
Lai Han of nsfocus security team
May 16, 2021, 10:14:37 PM5/16/21
to XStream User
In fact, I found two exploit chains, one of which is no longer available on 1.4.17, but the other one is still available.
Jörg Schaible
May 17, 2021, 1:54:17 PM5/17/21
to XStream User, Lai Han of nsfocus security team
Hi,
you should have received an invitation to XStream's Security list. Please give
details there.
Regards,
Jörg
Am Montag, 17. Mai 2021, 04:14:37 CEST schrieb Lai Han of nsfocus security
you should have received an invitation to XStream's Security list. Please give
details there.
Regards,
Jörg
Am Montag, 17. Mai 2021, 04:14:37 CEST schrieb Lai Han of nsfocus security
Lai Han of nsfocus security team
May 17, 2021, 10:23:39 PM5/17/21
to XStream User
Hi
I'm sorry I couldn't reply to the message in time as there is a time difference of several hours between us.
I received an email saying that I was added to the XStream Security group, but it shows on my end that I do not have access to this content. I don't know if this is normal. Or should I send an email directly to Email address of xstream security managers to report the vulnerability details?
Jörg Schaible
May 18, 2021, 5:45:29 PM5/18/21
to XStream User, Lai Han of nsfocus security team
Hi,
On Tuesday, 18. May 2021, 04:23:39 CEST Lai Han of nsfocus security team
wrote:
Regards,
Jörg
[snip]
On Tuesday, 18. May 2021, 04:23:39 CEST Lai Han of nsfocus security team
wrote:
> Hi
>
> I'm sorry I couldn't reply to the message in time as there is a time
> difference of several hours between us.
>
> I received an email saying that I was added to the XStream Security group,
> but it shows on my end that I do not have access to this content. I don't
> know if this is normal. Or should I send an email directly to Email address
> of xstream security managers to report the vulnerability details?
Yes, you should be able to send mails directly to that address now.
>
> I'm sorry I couldn't reply to the message in time as there is a time
> difference of several hours between us.
>
> I received an email saying that I was added to the XStream Security group,
> but it shows on my end that I do not have access to this content. I don't
> know if this is normal. Or should I send an email directly to Email address
> of xstream security managers to report the vulnerability details?
Regards,
Jörg
[snip]
Reply all
Reply to author
Forward
0 new messages