Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Apr 2012 23:41:36 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

So I went through all the Drupal contrib modules for 2012, 4 already
have CVE's, 3 are not security issues/not clear ("may also have an sql
injection" isn't quite enough). The data is below in CSV format and
attached as a file since the line wraps are mangling it up. Data is in
the form:

"CVE(or note)",SA#","description","URL"

=====================

"CVE-2012-1623","SA-CONTRIB-2012-001","Registration Codes - Access
bypass","https://drupal.org/node/1394172"
"CVE-2012-1624","SA-CONTRIB-2012-002","Lingotek - Cross Site
Scripting","https://drupal.org/node/1394220"
"CVE-2012-1625","SA-CONTRIB-2012-003","Fill PDF - Multiple
vulnerabilities","https://drupal.org/node/1394428"
"CVE-2012-1626","SA-CONTRIB-2012-004","Date - SQL
injection","https://drupal.org/node/1401434"
"CVE-2012-1627","SA-CONTRIB-2012-005","Vote up/down - Cross Site
Scripting","https://drupal.org/node/1401580"
"CVE-2012-1628","SA-CONTRIB-2012-006","SuperCron –
XSS","https://drupal.org/node/1401644"
"CVE-2012-1629","SA-CONTRIB-2012-006","Taxotouch –
XSS","https://drupal.org/node/1401644"
"CVE-2012-1630","SA-CONTRIB-2012-006","Taxonomy Navigator –
XSS","https://drupal.org/node/1401644"
"CVE-2012-1631","SA-CONTRIB-2012-006","Admin:hover –
CSRF","https://drupal.org/node/1401644"
"CVE-2012-1632","SA-CONTRIB-2012-007","Password Policy –
XSS","https://drupal.org/node/1401678"
"CVE-2012-1633","SA-CONTRIB-2012-007","Password Policy –
CSRF","https://drupal.org/node/1401678"
"CVE-2012-1634","SA-CONTRIB-2012-008","Video Filter - Cross Site
Scripting","https://drupal.org/node/1401838"
"CVE-2012-1635","SA-CONTRIB-2012-009","Revisioning - Access
bypass","https://drupal.org/node/1409268"
"CVE-2012-1636","SA-CONTRIB-2012-010","stickynote - Multiple
vulnerabilities","https://drupal.org/node/1409422"
"ALREADY CVE-2012-0914","SA-CONTRIB-2012-011","Panels - Cross Site
Scripting (XSS)","https://drupal.org/node/1409436"
"CVE-2012-1637","SA-CONTRIB-2012-012","Quicktabs - Cross Site Scripting
(XSS)","https://drupal.org/node/1409476"
"CVE-2012-1638","SA-CONTRIB-2012-013","Search Autocomplete - SQL
Injection","https://drupal.org/node/1416612"
"CVE-2012-1639","SA-CONTRIB-2012-014","Drupal Commerce - Cross Site
Scripting (XSS)","https://drupal.org/node/1416824"
"CVE-2012-1640","SA-CONTRIB-2012-015","Managesite - Cross Site Scripting
(XSS)","https://drupal.org/node/1417000"
"ALREADY CVE-2012-1057","SA-CONTRIB-2012-016","Forward module
CSRF","https://drupal.org/node/1425150"
"ALREADY CVE-2012-1056","SA-CONTRIB-2012-016","Forward module Access
bypass","https://drupal.org/node/1425150"
"CVE-2012-1641","SA-CONTRIB-2012-017","Finder - Multiple
vulnerabilities","https://drupal.org/node/1432970"
"ALREADY CVE-2012-1060","SA-CONTRIB-2012-018","Revisioning - Cross Site
Scripting","https://drupal.org/node/1433550"
"CVE-2012-1642","SA-CONTRIB-2012-019","Link checker - Access
bypass","https://drupal.org/node/1441252"
"CVE-2012-1643","SA-CONTRIB-2012-020","Faster Permissions - Access
bypass","https://drupal.org/node/1441448"
"CVE-2012-1644","SA-CONTRIB-2012-021","Organic Groups Vocab Access
Bypass","https://drupal.org/node/1441450"
"CVE-2012-1645","SA-CONTRIB-2012-022","CDN - Information disclosure
","https://drupal.org/node/1441502"
"CVE-2012-1646","SA-CONTRIB-2012-023","FAQ - Cross Site
Scripting","https://drupal.org/node/1451194"
"CVE-2012-1647","SA-CONTRIB-2012-024","MediaFront - Cross Site
Scripting","https://drupal.org/node/1461424"
"CVE-2012-1648","SA-CONTRIB-2012-025","Cool aid; Editable help messages
 - XSS","https://drupal.org/node/1461438"
"CVE-2012-1649","SA-CONTRIB-2012-025","Cool aid; Editable help messages
 - access bypass","https://drupal.org/node/1461438"
"CVE-2012-1650","SA-CONTRIB-2012-026","ZipCart - Access
bypass","https://drupal.org/node/1461446"
"CVE-2012-1651","SA-CONTRIB-2012-027","Submenu Tree -Cross Site
Scripting","https://drupal.org/node/1461470"
"CVE-2012-1652","SA-CONTRIB-2012-028","Hierarchical Select - Cross Site
Scripting (XSS)","https://drupal.org/node/1461724"
"CVE-2012-1653","SA-CONTRIB-2012-029","Taxonomy Views Integrator - Cross
Site Scripting (XSS)","https://drupal.org/node/1461892"
"CVE-2012-1654","SA-CONTRIB-2012-030","Data - Cross Site Scripting
(XSS)","https://drupal.org/node/1471780"
"CVE-2012-1655","SA-CONTRIB-2012-031","UC PayDutchGroup / WeDeal payment
credential exposure","https://drupal.org/node/1471800"
"CVE-2012-1656","SA-CONTRIB-2012-031","Multisite Search SQL
Injection","https://drupal.org/node/1471800"
"CVE-2012-1657","SA-CONTRIB-2012-032 ","Block Class - Cross Site
scripting ","https://drupal.org/node/1471808"
"CVE-2012-1658","SA-CONTRIB-2012-033","Read More Link - Cross Site
Scripting","https://drupal.org/node/1471822"
"CVE-2012-1659","SA-CONTRIB-2012-034","Node Recommendation Cross Site
Scripting (XSS)","https://drupal.org/node/1471940"
"CVE-2012-1660","SA-CONTRIB-2012-035","Webform Cross Site Scripting
(XSS)","https://drupal.org/node/1472214"
"CVE-2012-2056","SA-CONTRIB-2012-036","Content Lock
CSRF","https://drupal.org/node/1482126"
"CVE-2012-2057","SA-CONTRIB-2012-036","Ubercart Bulk Stock Updater
CSRF","https://drupal.org/node/1482126"
"CVE-2012-2058","SA-CONTRIB-2012-036","Ubercart Payflow payment
forgery","https://drupal.org/node/1482126"
"CVE-2012-2059","SA-CONTRIB-2012-036","ticketyboo News Ticker
XSS","https://drupal.org/node/1482126"
"NO CVE","SA-CONTRIB-2012-036","ticketyboo “It may also have a SQL
injection vector.”","https://drupal.org/node/1482126"
"CVE-2012-2060","SA-CONTRIB-2012-036","Admin tools
XSS","https://drupal.org/node/1482126"
"CVE-2012-2061","SA-CONTRIB-2012-036","Admin tools
CSRF","https://drupal.org/node/1482126"
"CVE-2012-2062","SA-CONTRIB-2012-036","Redirecting click bouncer – open
redirect","https://drupal.org/node/1482126"
"CVE-2012-2063","SA-CONTRIB-2012-037","Slidebox - access
bypass","https://drupal.org/node/1482342"
"CVE-2012-2064","SA-CONTRIB-2012-038","Views Language Switcher Cross
Site Scripting (XSS)","https://drupal.org/node/1482420"
"CVE-2012-2065","SA-CONTRIB-2012-039","Language Icons - Cross Site
Scripting (XSS)","https://drupal.org/node/1482428"
"CVE-2012-2066","SA-CONTRIB-2012-040","CKEditor and FCKeditor - multiple
XSS","https://drupal.org/node/1482528"
"CVE-2012-2067","SA-CONTRIB-2012-040","CKEditor and FCKeditor –
arbitrary code execution","https://drupal.org/node/1482528"
"CVE-2012-2068","SA-CONTRIB-2012-041","Fancy Slide - Cross Site
Scripting (XSS)","https://drupal.org/node/1482744"
"CVE-2012-2069","SA-CONTRIB-2012-042","Wishlist Cross Site Scripting
(XSS)","https://drupal.org/node/1492624"
"CVE-2012-2070","SA-CONTRIB-2012-043","MultiBlock - Cross Site
Scripting","https://drupal.org/node/1506390"
"CVE-2012-2071","SA-CONTRIB-2012-044","Contact Forms - Cross Site
Scripting","https://drupal.org/node/1506404"
"CVE-2012-2072","SA-CONTRIB-2012-045","AddToAny - Cross Site
Scripting","https://drupal.org/node/1506412"
"CVE-2012-2073","SA-CONTRIB-2012-046","Bundle Copy - Arbitrary Code
execution","https://drupal.org/node/1506420"
"CVE-2012-2074","SA-CONTRIB-2012-047","Ubercart Views - Information
disclosure","https://drupal.org/node/1506428"
"CVE-2012-2075","SA-CONTRIB-2012-048","Contact Save - Cross Site
Scripting","https://drupal.org/node/1506438"
"CVE-2012-2076","SA-CONTRIB-2012-049","ShareThis -
XSS","https://drupal.org/node/1506448"
"CVE-2012-2077","SA-CONTRIB-2012-049","ShareThis -
CSRF","https://drupal.org/node/1506448"
"NO CVE","SA-CONTRIB-2012-050","CDN2 Video -
Unsupported","https://drupal.org/node/1506542"
"CVE-2012-2078","SA-CONTRIB-2012-051","Activity
XSS","https://drupal.org/node/1506562"
"CVE-2012-2079","SA-CONTRIB-2012-051","Activity
CSRF","https://drupal.org/node/1506562"
"CVE-2012-2080","SA-CONTRIB-2012-052","Node Limit Number - Cross Site
Request Forgery","https://drupal.org/node/1506728"
"CVE-2012-2081","SA-CONTRIB-2012-053","Organic Groups - Access
Bypass","https://drupal.org/node/1507446"
"CVE-2012-2082","SA-CONTRIB-2012-054","Chaos tool suite - Cross Site
Scripting (XSS)","https://drupal.org/node/1507466"
"CVE-2012-2083","SA-CONTRIB-2012-055","Fusion theme - Cross Site
Scripting (XSS)","https://drupal.org/node/1507510"
"NO CVE","SA-CONTRIB-2012-056","Janrain Engage - Sensitive Data
Protection Vulnerability","https://drupal.org/node/1515282"
"CVE-2012-2084","SA-CONTRIB-2012-057","Printer, email and PDF versions -
Cross Site Scripting (XSS)","https://drupal.org/node/1515722"



-- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

"CVE-2012-1623","SA-CONTRIB-2012-001","Registration Codes - Access bypass","https://drupal.org/node/1394172"
"CVE-2012-1624","SA-CONTRIB-2012-002","Lingotek - Cross Site Scripting","https://drupal.org/node/1394220"
"CVE-2012-1625","SA-CONTRIB-2012-003","Fill PDF - Multiple vulnerabilities","https://drupal.org/node/1394428"
"CVE-2012-1626","SA-CONTRIB-2012-004","Date - SQL injection","https://drupal.org/node/1401434"
"CVE-2012-1627","SA-CONTRIB-2012-005","Vote up/down - Cross Site Scripting","https://drupal.org/node/1401580"
"CVE-2012-1628","SA-CONTRIB-2012-006","SuperCron – XSS","https://drupal.org/node/1401644"
"CVE-2012-1629","SA-CONTRIB-2012-006","Taxotouch – XSS","https://drupal.org/node/1401644"
"CVE-2012-1630","SA-CONTRIB-2012-006","Taxonomy Navigator – XSS","https://drupal.org/node/1401644"
"CVE-2012-1631","SA-CONTRIB-2012-006","Admin:hover – CSRF","https://drupal.org/node/1401644"
"CVE-2012-1632","SA-CONTRIB-2012-007","Password Policy – XSS","https://drupal.org/node/1401678"
"CVE-2012-1633","SA-CONTRIB-2012-007","Password Policy – CSRF","https://drupal.org/node/1401678"
"CVE-2012-1634","SA-CONTRIB-2012-008","Video Filter - Cross Site Scripting","https://drupal.org/node/1401838"
"CVE-2012-1635","SA-CONTRIB-2012-009","Revisioning - Access bypass","https://drupal.org/node/1409268"
"CVE-2012-1636","SA-CONTRIB-2012-010","stickynote - Multiple vulnerabilities","https://drupal.org/node/1409422"
"ALREADY CVE-2012-0914","SA-CONTRIB-2012-011","Panels - Cross Site Scripting (XSS)","https://drupal.org/node/1409436"
"CVE-2012-1637","SA-CONTRIB-2012-012","Quicktabs - Cross Site Scripting (XSS)","https://drupal.org/node/1409476"
"CVE-2012-1638","SA-CONTRIB-2012-013","Search Autocomplete - SQL Injection","https://drupal.org/node/1416612"
"CVE-2012-1639","SA-CONTRIB-2012-014","Drupal Commerce - Cross Site Scripting (XSS)","https://drupal.org/node/1416824"
"CVE-2012-1640","SA-CONTRIB-2012-015","Managesite - Cross Site Scripting (XSS)","https://drupal.org/node/1417000"
"ALREADY CVE-2012-1057","SA-CONTRIB-2012-016","Forward module CSRF","https://drupal.org/node/1425150"
"ALREADY CVE-2012-1056","SA-CONTRIB-2012-016","Forward module Access bypass","https://drupal.org/node/1425150"
"CVE-2012-1641","SA-CONTRIB-2012-017","Finder - Multiple vulnerabilities","https://drupal.org/node/1432970"
"ALREADY CVE-2012-1060","SA-CONTRIB-2012-018","Revisioning - Cross Site Scripting","https://drupal.org/node/1433550"
"CVE-2012-1642","SA-CONTRIB-2012-019","Link checker - Access bypass","https://drupal.org/node/1441252"
"CVE-2012-1643","SA-CONTRIB-2012-020","Faster Permissions - Access bypass","https://drupal.org/node/1441448"
"CVE-2012-1644","SA-CONTRIB-2012-021","Organic Groups Vocab Access Bypass","https://drupal.org/node/1441450"
"CVE-2012-1645","SA-CONTRIB-2012-022","CDN - Information disclosure ","https://drupal.org/node/1441502"
"CVE-2012-1646","SA-CONTRIB-2012-023","FAQ - Cross Site Scripting","https://drupal.org/node/1451194"
"CVE-2012-1647","SA-CONTRIB-2012-024","MediaFront - Cross Site Scripting","https://drupal.org/node/1461424"
"CVE-2012-1648","SA-CONTRIB-2012-025","Cool aid; Editable help messages  - XSS","https://drupal.org/node/1461438"
"CVE-2012-1649","SA-CONTRIB-2012-025","Cool aid; Editable help messages  - access bypass","https://drupal.org/node/1461438"
"CVE-2012-1650","SA-CONTRIB-2012-026","ZipCart - Access bypass","https://drupal.org/node/1461446"
"CVE-2012-1651","SA-CONTRIB-2012-027","Submenu Tree -Cross Site Scripting","https://drupal.org/node/1461470"
"CVE-2012-1652","SA-CONTRIB-2012-028","Hierarchical Select - Cross Site Scripting (XSS)","https://drupal.org/node/1461724"
"CVE-2012-1653","SA-CONTRIB-2012-029","Taxonomy Views Integrator - Cross Site Scripting (XSS)","https://drupal.org/node/1461892"
"CVE-2012-1654","SA-CONTRIB-2012-030","Data - Cross Site Scripting (XSS)","https://drupal.org/node/1471780"
"CVE-2012-1655","SA-CONTRIB-2012-031","UC PayDutchGroup / WeDeal payment credential exposure","https://drupal.org/node/1471800"
"CVE-2012-1656","SA-CONTRIB-2012-031","Multisite Search SQL Injection","https://drupal.org/node/1471800"
"CVE-2012-1657","SA-CONTRIB-2012-032 ","Block Class - Cross Site scripting ","https://drupal.org/node/1471808"
"CVE-2012-1658","SA-CONTRIB-2012-033","Read More Link - Cross Site Scripting","https://drupal.org/node/1471822"
"CVE-2012-1659","SA-CONTRIB-2012-034","Node Recommendation Cross Site Scripting (XSS)","https://drupal.org/node/1471940"
"CVE-2012-1660","SA-CONTRIB-2012-035","Webform Cross Site Scripting (XSS)","https://drupal.org/node/1472214"
"CVE-2012-2056","SA-CONTRIB-2012-036","Content Lock CSRF","https://drupal.org/node/1482126"
"CVE-2012-2057","SA-CONTRIB-2012-036","Ubercart Bulk Stock Updater CSRF","https://drupal.org/node/1482126"
"CVE-2012-2058","SA-CONTRIB-2012-036","Ubercart Payflow payment forgery","https://drupal.org/node/1482126"
"CVE-2012-2059","SA-CONTRIB-2012-036","ticketyboo News Ticker XSS","https://drupal.org/node/1482126"
"NO CVE","SA-CONTRIB-2012-036","ticketyboo “It may also have a SQL injection vector.”","https://drupal.org/node/1482126"
"CVE-2012-2060","SA-CONTRIB-2012-036","Admin tools XSS","https://drupal.org/node/1482126"
"CVE-2012-2061","SA-CONTRIB-2012-036","Admin tools CSRF","https://drupal.org/node/1482126"
"CVE-2012-2062","SA-CONTRIB-2012-036","Redirecting click bouncer – open redirect","https://drupal.org/node/1482126"
"CVE-2012-2063","SA-CONTRIB-2012-037","Slidebox - access bypass","https://drupal.org/node/1482342"
"CVE-2012-2064","SA-CONTRIB-2012-038","Views Language Switcher Cross Site Scripting (XSS)","https://drupal.org/node/1482420"
"CVE-2012-2065","SA-CONTRIB-2012-039","Language Icons - Cross Site Scripting (XSS)","https://drupal.org/node/1482428"
"CVE-2012-2066","SA-CONTRIB-2012-040","CKEditor and FCKeditor - multiple XSS","https://drupal.org/node/1482528"
"CVE-2012-2067","SA-CONTRIB-2012-040","CKEditor and FCKeditor – arbitrary code execution","https://drupal.org/node/1482528"
"CVE-2012-2068","SA-CONTRIB-2012-041","Fancy Slide - Cross Site Scripting (XSS)","https://drupal.org/node/1482744"
"CVE-2012-2069","SA-CONTRIB-2012-042","Wishlist Cross Site Scripting (XSS)","https://drupal.org/node/1492624"
"CVE-2012-2070","SA-CONTRIB-2012-043","MultiBlock - Cross Site Scripting","https://drupal.org/node/1506390"
"CVE-2012-2071","SA-CONTRIB-2012-044","Contact Forms - Cross Site Scripting","https://drupal.org/node/1506404"
"CVE-2012-2072","SA-CONTRIB-2012-045","AddToAny - Cross Site Scripting","https://drupal.org/node/1506412"
"CVE-2012-2073","SA-CONTRIB-2012-046","Bundle Copy - Arbitrary Code execution","https://drupal.org/node/1506420"
"CVE-2012-2074","SA-CONTRIB-2012-047","Ubercart Views - Information disclosure","https://drupal.org/node/1506428"
"CVE-2012-2075","SA-CONTRIB-2012-048","Contact Save - Cross Site Scripting","https://drupal.org/node/1506438"
"CVE-2012-2076","SA-CONTRIB-2012-049","ShareThis -  XSS","https://drupal.org/node/1506448"
"CVE-2012-2077","SA-CONTRIB-2012-049","ShareThis -  CSRF","https://drupal.org/node/1506448"
"NO CVE","SA-CONTRIB-2012-050","CDN2 Video - Unsupported","https://drupal.org/node/1506542"
"CVE-2012-2078","SA-CONTRIB-2012-051","Activity XSS","https://drupal.org/node/1506562"
"CVE-2012-2079","SA-CONTRIB-2012-051","Activity CSRF","https://drupal.org/node/1506562"
"CVE-2012-2080","SA-CONTRIB-2012-052","Node Limit Number - Cross Site Request Forgery","https://drupal.org/node/1506728"
"CVE-2012-2081","SA-CONTRIB-2012-053","Organic Groups - Access Bypass","https://drupal.org/node/1507446"
"CVE-2012-2082","SA-CONTRIB-2012-054","Chaos tool suite - Cross Site Scripting (XSS)","https://drupal.org/node/1507466"
"CVE-2012-2083","SA-CONTRIB-2012-055","Fusion theme - Cross Site Scripting (XSS)","https://drupal.org/node/1507510"
"NO CVE","SA-CONTRIB-2012-056","Janrain Engage - Sensitive Data Protection Vulnerability","https://drupal.org/node/1515282"
"CVE-2012-2084","SA-CONTRIB-2012-057","Printer, email and PDF versions - Cross Site Scripting (XSS)","https://drupal.org/node/1515722"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ