![]() |
|
Message-Id: <201312120444.rBC4iiud025981@linus.mitre.org> Date: Wed, 11 Dec 2013 23:44:44 -0500 (EST) From: cve-assign@...re.org To: forest.monsen@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request for Drupal core, and contributed modules -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SA-CONTRIB-2013-093 CVE-2013-7063 SA-CONTRIB-2013-094 CVE-2013-7064 Note that this says 'The module doesn't sufficiently fiter [sic] and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer EU Cookie Compliance popup".' Our perspective is that, typically, web applications do not have a threat model in which crafted configuration settings entered by admins are a vector that qualifies for a CVE assignment. You, in the context of representing the "vendor" of the module, are allowed to have that threat model if you want to. (This is entirely reasonable if an XSS attack would realistically result in privilege escalation to a higher-level admin account.) If you want to reconsider, we can optionally reject this CVE for you. Otherwise, it will remain a valid (and non-disputed) CVE. SA-CONTRIB-2013-095 Posting content into groups where a user is not a member CVE-2013-7065 Inconsistent access checking in posting content CVE-2013-7068 SA-CONTRIB-2013-096 CVE-2013-7066 SA-CONTRIB-2013-097 CVE-2013-7067 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSqT71AAoJEKllVAevmvms7aAH/j6E+fBmktGi/1OQgPxDJ/6R Fsd45/cHZPqRR3Yx95hQEpCP2lSBkzfdJuyqpq2rrKU0x34nogR9eotbt5rk06qY jM9Wr1yEY6VWtvkF+7PT7OtYY4eBk3GR66iPwJSxE+za2j6xxfAegyYxBYPnNyZ3 StE20jX4Wr01TPOEfS6mJYJuiOcHbJphf5w2UuGXXnUvVAR7MT5l0d2LJcKwuxCl 2pkD8jWgkKtPgr+RyYUHdk8LhzIpo6ENLtruJRY66wz0sF+XRxds9jyvQovsuhJy SuJQ1iHK9gf3k/dL+84YA2VpPb1GNKQVjER1AqALpqjWWiwqotySqEQ3GeDW3sk= =0M9J -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.