Hi @admin , this seems to be fixed now, can i request for a cve for this as reserved and publish it after 3 months as the maintainer's request

As mentioned in the other report, we first require maintainers to confirm that they are happy for a CVE to be assigned.

Furthermore, we first expect a fix to be confirmed against the report before going ahead with this.

Hi there, we've confirmed the fix in our latest version of Gibbon and have notified our community that updating their installations should be a high priority.

As per our security policy, we ask that developers do no not immediately post security vulnerabilities in a CVE database. Many schools who use Gibbon may have limited funds or IT infrastructure and may only update once or twice a year. It's important to give our community ample time to update their systems before a vulnerability is posted on a public database. Once an issue has been patched and released to the community, we are open to posting these after a window of 3 months, to help ensure all systems are updated. We want to be sure to consider our schools and their capacity, to ensure we're putting their interests first.

Hello @admin , three months have now passed since i disclosed this, Perhaps we can request a cve now? Thanks

I believe that the maintainer has requested that we only publish a CVE once the FIX has been live for three months, not since the point of disclosure.

@maintainer - can you please confirm this?

Hi @admin I kinda forgot about this report but i believe its safe to assign a cve for this bug now

We do require the go-ahead from the maintainer.