Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Apr 2015 13:52:13 -0400 (EDT)
From: cve-assign@...re.org
To: Pere Orga <pere@...a.cat>
cc: kseifried@...hat.com, oss-security@...ts.openwall.com,
        cve-assign@...re.org
Subject: Re: Re: CVEs for Drupal contributed modules - January
 2015



> SA-CONTRIB-2015-001 - OPAC - Cross-Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403313

Use CVE-2015-3343.

> SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2403333

Use CVE-2015-3344.

> SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection
> https://www.drupal.org/node/2403343

Use CVE-2015-3345.

> SA-CONTRIB-2015-004 - Context - Open Redirect
> https://www.drupal.org/node/2403351

Use CVE-2015-1051.


> SA-CONTRIB-2015-005 - WikiWiki - SQL injection
> https://www.drupal.org/node/2403375

Use CVE-2015-3346.

> SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - XSS

Use CVE-2015-3348.

> SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - CSRF
> https://www.drupal.org/node/2403447

Use CVE-2015-3347.

> SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403445

Use CVE-2015-3349.

> SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403451

Use CVE-2015-3355.

> SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2403459

Use CVE-2015-3361.

> SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403463

Use CVE-2015-3351.

> SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403465

Use CVE-2015-3350.

> SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403487

Use CVE-2015-3352.

> SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2403489

Use CVE-2015-3353.

> SA-CONTRIB-2015-014 - Wishlist - XSS

Use CVE-2015-3355.

> SA-CONTRIB-2015-014 - Wishlist - CSRF
> https://www.drupal.org/node/2407313

Use CVE-2015-3354.

> SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407315

Use CVE-2015-3360.

> SA-CONTRIB-2015-016 - Tadaa! - CSRF

Use CVE-2015-3356.

> SA-CONTRIB-2015-016 - Tadaa! - Open Redirect
> https://www.drupal.org/node/2407321

Use CVE-2015-3358.

> SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407329

Use CVE-2015-3359.

> SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407341

Use CVE-2015-3362.

> SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect
> https://www.drupal.org/node/2407347

Use CVE-2015-3342.

> SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2407357

Use CVE-2015-3363.

> SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407395

Use CVE-2015-3364.

> SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407401

Use CVE-2015-3365.

> SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2411527

Use CVE-2015-3368.

> SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2411523

Use CVE-2015-3366.

> SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2411539

Use CVE-2015-3367.

> SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2411573

Use CVE-2015-3369.

> SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2411579

Use CVE-2015-3376.

> SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request
> Forgery (CSRF)
> https://www.drupal.org/node/2411737

Use CVE-2015-3375.

> SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2411741

Use CVE-2015-3374.

> SA-CONTRIB-2015-030 - Amazon AWS - Access bypass
> https://www.drupal.org/node/2415873

Use CVE-2015-3373.

> SA-CONTRIB-2015-031 - GD Infinite Scroll - XSS

Use CVE-2015-1567.

> SA-CONTRIB-2015-031 - GD Infinite Scroll - CSRF

Use CVE-2015-1568.

> SA-CONTRIB-2015-031 - GD Infinite Scroll - Open Redirect
> https://www.drupal.org/node/2415885

There is no mention of an open redirect in this advisory, so no CVE is
assigned, as explained in a followup post by Pere Orga.

> SA-CONTRIB-2015-032 - Node Invite - XSS

Use CVE-2015-3370.

> SA-CONTRIB-2015-032 - Node Invite - CSRF
> https://www.drupal.org/node/2415899


Use CVE-2015-3372.

Use CVE-2015-3371 for the Open Redirect that was not mentioned in the
original request, but described in SA-CONTRIB-2015-032, as explained
in a followup post by Pere Orga.

> SA-CONTRIB-2015-033 - Certify - Access bypass
> SA-CONTRIB-2015-033 - Certify - Information disclosure
> https://www.drupal.org/node/2415947

It is not clear whether there should be a single CVE or multiple CVEs.

Both "Access bypass" and "Information Disclosure" are mentioned in
<font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple vulnerabilities."
However, SA-CONTRIB-2015-033 also says that "The module does not
sufficiently check node access when showing (and creating) the PDF
certificates. This can lead to users seeing certificates they should
not have access to."  This suggests a single root cause - lack of node
access checks - which could lead to information disclosure.  If so,
then from the CVE perspective, this would be one vulnerability and one
ID would be assigned.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ