|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] PROPOSAL: Cluster 29 - PRIVACY (9 candidates)
The following candidates deal with privacy, i.e. unintentional release of personal information. These don't necessarily conform with most definitions of "vulnerability" because the private information (usually) doesn't allow an attacker to break into a system or do damage. Should they be CVE vulnerabilities? Technically, most of these don't satisfy the current CVE vulnerability definition, because there aren't necessarily any *specified* restrictions on the data. But certainly there are some *implied* restrictions, e.g. in the shopping cart programs. The basic question is: when does the loss of privacy constitute a security problem? If these should be treated as vulnerabilities, are they High Cardinality, and if so, are they Easily Enumerable? Or should we just merge them all into a single CVE entry that may be at a level of abstraction that appears to be higher than most other CVE entries? Another issue is, should we treat these types of candidate vulnerabilities the same as we do with other vulnerabilities that deal with weak encryption? - Steve Summary of votes to use (in ascending order of "severity"): ACCEPT - member accepts the candidate as proposed NOOP - member has no opinion on the candidate MODIFY - member wants to change some minor detail (e.g. reference/description) REVIEWING - member is reviewing/researching the candidate RECAST - candidate must be significantly modified, e.g. split or merged REJECT - candidate is "not a vulnerability", or a duplicate, etc. Please write your vote on the line that starts with "VOTE: ". If you want to add comments or details, add them to lines after the VOTE: line. ================================= Candidate: CAN-1999-0031 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: SF Reference: CERT:CA-97.20.javascript JavaScript allows remote attackers to monitor a user's web activities. VOTE: ================================= Candidate: CAN-1999-0469 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: SF Reference: XF:ie-window-spoof Reference: BUGTRAQ:Apr9,1999 Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client. VOTE: ================================= Candidate: CAN-1999-0604 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information. VOTE: ================================= Candidate: CAN-1999-0605 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information. VOTE: ================================= Candidate: CAN-1999-0606 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information. VOTE: ================================= Candidate: CAN-1999-0607 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the QuikStore shopping cart CGI program "quikstore.cgi" could disclose private information. VOTE: ================================= Candidate: CAN-1999-0608 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the PDG Shopping Cart CGI program "shopper.cgi" could disclose private information. VOTE: ================================= Candidate: CAN-1999-0609 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr20,1999 An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information. VOTE: ================================= Candidate: CAN-1999-0610 Published: Final-Decision: Interim-Decision: Modified: Announced: 19990728 Assigned: 19990607 Category: CF Reference: BUGTRAQ:Apr23,1999 An incorrect configuration of the Webcart CGI program could disclose private information. VOTE:
|
||||
