Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Aug 2015 12:30:14 -0400 (EDT)
cc: Security Team <>,
Subject: Re: CVE requests for Drupal contributed modules (from
 SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)

Hash: SHA1

>Camtasia Relay - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

Use CVE-2015-5487.

>MailChimp - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

Use CVE-2015-5488.

>Smart Trim - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

Use CVE-2015-5489.

>Views - Access Bypass - SA-CONTRIB-2015-103

Use CVE-2015-5490.

>Dynamic display block - Access bypass - SA-CONTRIB-2015-104

Use CVE-2015-5491.

>Video Consultation - Cross Site Scripting (XSS) - SA-CONTRIB-2015-105

Use CVE-2015-5492.

>Entityform Block - Access Bypass - SA-CONTRIB-2015-106

Use CVE-2015-5493.

>Webform Matrix Component - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107

Use CVE-2015-5494.

>Mobile sliding menu - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

Use CVE-2015-5495.

>pass2pdf - Information Disclosure - SA-CONTRIB-2015-109

Use CVE-2015-5496.

>Web Links - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

Use CVE-2015-5497.

>Shipwire - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

Use CVE-2015-5498.

>Navigate - Access Bypass - SA-CONTRIB-2015-112

Use CVE-2015-5499.

>Navigate - Cross-site scripting - SA-CONTRIB-2015-112

Use CVE-2015-5500.

>Aegir - Code Execution Prevention - SA-CONTRIB-2015-113

Use CVE-2015-5501.

>Storage API - Access Bypass - SA-CONTRIB-2015-114

Use CVE-2015-5502.

>Chamilo integration - Open Redirect - SA-CONTRIB-2015-115

Use CVE-2015-5503.

>Novalnet Payment Module Ubercart - SQL Injection - SA-CONTRIB-2015-116

>The module fails to sanitize a database query by not using the database
>API properly, thereby leading to a SQL Injection vulnerability.

Use CVE-2015-5504.

>Since the affected path is not protected against CSRF, a malicious user can
>exploit this vulnerability by triggering a request to a specially-crafted URL.

It is not clear to us if this CSRF issue is exploitable.  The attack
seems to be against a Novalnet employee, but it is not known if
Novalnet employees have access to the specific IP in a way that would
make the exploit feasible.

>Novalnet Payment Module Drupal Commerce - SQL Injection - SA-CONTRIB-2015-117

We believe that the Novalnet Payment Module Drupal Commerce module may
share a codebase with the Novalnet Payment Module Ubercart module in

If you can confirm that the vulnerable code in SA-CONTRIB-2015-117 is
different from the code in SA-CONTRIB-2015-116, then we will issue a
separate CVE ID.  Otherwise, use CVE-2015-5504 for this vulnerability.

>HTTP Strict Transport Security - Logical Error - SA-CONTRIB-2015-118

Use CVE-2015-5505.

>Apache Solr Real-Time - Access Bypass - SA-CONTRIB-2015-119

Use CVE-2015-5506.

>Inline Entity Form - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120

Use CVE-2015-5507.

>The eXtensible Catalog (XC) Drupal Toolkit - Cross Site Request
>Forgery (CSRF) - SA-CONTRIB-2015-121

Use CVE-2015-5508.

>Administration Views - Access Bypass - SA-CONTRIB-2015-122

Use CVE-2015-5509.

>jQuery Update - Open Redirect - SA-CONTRIB-2015-123
>LABjs - Open Redirect - SA-CONTRIB-2015-124
>Acquia Cloud Site Factory Connector - Open Redirect - SA-CONTRIB-2015-125

A new CVE might not be necessary.

We believe that SA-CONTRIB-2015-123, SA-CONTRIB-2015-124, and
SA-CONTRIB-2015-125 share the same codebase (Overlay JavaScript file)
as the Overlay module in SA-CORE-2015-002, which has been issued

>Content Construction Kit (CCK) - Open Redirect - SA-CONTRIB-2015-126

Use CVE-2015-5510.

>HybridAuth Social Login - Access bypass - SA-CONTRIB-2015-127

Use CVE-2015-5511.

>me aliases - Access Bypass - SA-CONTRIB-2015-128

Use CVE-2015-5512.

>Shibboleth authentication - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Use CVE-2015-5513.

>Migrate - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

Use CVE-2015-5514.

>Views Bulk Operations - Access Bypass - SA-CONTRIB-2015-131

Use CVE-2015-5515.

- ---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ