Hi
Hi:I just want to now..if the recently published bugs at securityfocus are true..sometimes te people lie on this list...thats my question...--Visita
You seem to mean http://www.securityfocus.com/archive/1/325641 ? I just found that by searching the site. Sadly though, that person has never contacted the team about that issue.
As far as I can tell, that ImportDocSQL security issue was fixed since 2.5.0 - I haven't looked into the other XSS issues, as the original poster doesn't exactly specify them. Most actions need a valid 'session' to execute cross-site scripting, which is not *that* serious. Storing cookies unencrypted is documented in some of our RFE trackers, why we don't encrypt the data currently.
But our team should definitely take some time to write a follow-up/response to that item...
Regards, Garvin.