From: Frédéric BOURLA <>
Subject: RE: RFI in JAF CMS

Dear Mr. SALO,

Thanks for your email, and for pointing out the dual discovery.

In fact, we are aware of this situation, and we agree that we had by mistake
published a few advisories which implied already discovered vulnerabilities.
Indeed, there is no "lots of announcements" as you may have been tricked to
think through Jericho is really far from being objective, and
he only published parts of our communications. To make a long story short,
he made a lot of mistakes, and after a deep review of our advisories, we
admitted that we discovered 5 vulnerabilities which were effectively
previously published\u2026 Only 5 vulnerabilities on more than 300 bulletins
which have already permitted about 120 vendors to improve the security of
their products.

Those 5 webpages will not be removed, as it is a true discovery from our R&D
team. Nevertheless, the credit information field have been updated several
months ago: 
- HTB22770:
- HTB22666:
- HTB22445:
- HTB22442:
- HTB22398:

Once again, thanks for your feedback, and I wish you a merry Christmas and a
happy new year!


Head of Ethical Hacking Department

-----Original Message-----
From: Henri Salo [] 
Sent: dimanche 18 dcembre 2011 13:34
To: security curmudgeon;
Subject: Re: RFI in JAF CMS

On Sat, Apr 02, 2011 at 12:31:28AM -0500, security curmudgeon wrote:
> CVE-2008-1609 & CVE-2006-7128
> same issue, 4.0 RC1 and RC2. really guys? at least check VDBs before 
> you publish.
> : Vulnerability ID: HTB22666
> : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
> Did you check the vendor's page?
> This page last updated on : May 20, 2006

This is still listed in htbridge web-page. Sadly
doesn't work anymore. They listed lots of similar announcements.

- Henri Salo

Copyright © 1995-2021 All rights reserved.