The Inflation of "Security Researchers" and Its Consequences for Open Source

1

cURL

A well-documented case that illustrates this problem is CVE-2020-19909, which was recently reassigned as a "critical" vulnerability in Curl — despite being a decades-old, non-exploitable bug. This case exposes the systemic flaws in how CVEs are assigned and scored [Daniel Stenberg’s blog][Hacker News discussion].

#API Tools #Developer Tools #APIs 122 social mentions

2

Automad

A perfect example of this issue happened last year when I received multiple CVE notifications about a supposed cross-site scripting (XSS) vulnerability in Automad. The reports claimed that a non-sanitized input field could be exploited to inject JavaScript. However, these reports completely misunderstood the nature of the project. Automad is designed as a single-user content management system, meaning there are no user sessions to steal, and the only person with access is the site owner — who already has full control over the server. While it is possible to add other trusted collaborators, Automad does not include role-based access management or a permission system — this is intentional. As a minimalistic CMS, it is designed for simplicity rather than complex user management. This fact alone eliminates any meaningful attack vector for XSS.

#CMS #Blogging Platform #Blogging 6 social mentions