<![CDATA[lol]]>RE: https://infosec.exchange/@cR0w/116483262430297764

lol

favicon

(www.cve.org)

]]>https://board.circlewithadot.net/topic/d00df524-b112-4429-9ae6-9480c63f487d/lolRSS for NodeFri, 01 May 2026 09:22:48 GMTWed, 29 Apr 2026 04:41:24 GMT60<![CDATA[Reply to lol on Wed, 29 Apr 2026 13:09:49 GMT]]>@scottwilson Yeah but I was more laughing about the timing. The CVE was published the same day that v11.0.0 was released, which was the same day the GCHQ-hosted instance was offline for most ( all? ) of the day.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116488155295386880https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116488155295386880Wed, 29 Apr 2026 13:09:49 GMT<![CDATA[Reply to lol on Wed, 29 Apr 2026 13:02:41 GMT]]>@nyanbinary @2Bfair @thief_of_fire It's XSS. I wouldn't think twice about dropping it on Mastodon let alone in the issues.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116488127241389420https://board.circlewithadot.net/post/https://infosec.exchange/users/cR0w/statuses/116488127241389420Wed, 29 Apr 2026 13:02:41 GMT<![CDATA[Reply to lol on Wed, 29 Apr 2026 11:49:28 GMT]]>@cR0w If even the GCHQ can’t get it right, what chance do the rest of us have?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/scottwilson/statuses/116487839317627880https://board.circlewithadot.net/post/https://infosec.exchange/users/scottwilson/statuses/116487839317627880Wed, 29 Apr 2026 11:49:28 GMT<![CDATA[Reply to lol on Wed, 29 Apr 2026 09:09:02 GMT]]>@2Bfair @thief_of_fire @cR0w No, not necessarily. CVSS severity levels are great for bulk classification & priorisation but do not always correctly reflect individual findings - pretty much every pentester I know constantly complains about customers wanting cvss claasifications because of this. Additionally I kinda disagree with this CVSS string in this case, given it assumes UI:N which I always find iffy for reflected XSS.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116487208488648736https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116487208488648736Wed, 29 Apr 2026 09:09:02 GMT<![CDATA[Reply to lol on Wed, 29 Apr 2026 08:52:33 GMT]]>@nyanbinary @thief_of_fire @cR0w

If you feel that the vulnerability is significant enough to warrant a private disclosure, please email...

Do you not think a high severity CVE is significant enough to warrant private disclosure?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/ap/users/116347120688535430/statuses/116487143643398154https://board.circlewithadot.net/post/https://infosec.exchange/ap/users/116347120688535430/statuses/116487143643398154Wed, 29 Apr 2026 08:52:33 GMT<![CDATA[Reply to lol on Wed, 29 Apr 2026 05:30:06 GMT]]>@thief_of_fire @cR0w I'm honestly kinda annoyed by their response in the issue? Like, looking at their linked policy this IS the way things should be reported, right??
https://github.com/gchq/CyberChef/blob/master/SECURITY.md

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116486347592605060https://board.circlewithadot.net/post/https://infosec.exchange/users/nyanbinary/statuses/116486347592605060Wed, 29 Apr 2026 05:30:06 GMT<![CDATA[Reply to lol on Wed, 29 Apr 2026 05:00:35 GMT]]>@cR0w love that someone just dropped that in their github issues

]]>https://board.circlewithadot.net/post/https://infosec.exchange/ap/users/115602245324882913/statuses/116486231548130384https://board.circlewithadot.net/post/https://infosec.exchange/ap/users/115602245324882913/statuses/116486231548130384Wed, 29 Apr 2026 05:00:35 GMT