lol

cr0w@infosec.exchange

RE: https://infosec.exchange/@cR0w/116483262430297764

lol

(www.cve.org)

thief_of_fire@infosec.exchange

@cR0w love that someone just dropped that in their github issues

nyanbinary@infosec.exchange

@thief_of_fire @cR0w I'm honestly kinda annoyed by their response in the issue? Like, looking at their linked policy this IS the way things should be reported, right??
https://github.com/gchq/CyberChef/blob/master/SECURITY.md

2bfair@infosec.exchange

@nyanbinary @thief_of_fire @cR0w

If you feel that the vulnerability is significant enough to warrant a private disclosure, please email...

Do you not think a high severity CVE is significant enough to warrant private disclosure?

nyanbinary@infosec.exchange

@2Bfair @thief_of_fire @cR0w No, not necessarily. CVSS severity levels are great for bulk classification & priorisation but do not always correctly reflect individual findings - pretty much every pentester I know constantly complains about customers wanting cvss claasifications because of this. Additionally I kinda disagree with this CVSS string in this case, given it assumes UI:N which I always find iffy for reflected XSS.

scottwilson@infosec.exchange

@cR0w If even the GCHQ can’t get it right, what chance do the rest of us have?

cr0w@infosec.exchange

@nyanbinary @2Bfair @thief_of_fire It's XSS. I wouldn't think twice about dropping it on Mastodon let alone in the issues.

cr0w@infosec.exchange

@scottwilson Yeah but I was more laughing about the timing. The CVE was published the same day that v11.0.0 was released, which was the same day the GCHQ-hosted instance was offline for most ( all? ) of the day.