Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.LNX.4.64.1504211351080.15902@beijing.mitre.org>
Date: Tue, 21 Apr 2015 13:52:13 -0400 (EDT)
From: cve-assign@...re.org
To: Pere Orga <pere@...a.cat>
cc: kseifried@...hat.com, oss-security@...ts.openwall.com,
        cve-assign@...re.org
Subject: Re: Re: CVEs for Drupal contributed modules - January
 2015



> SA-CONTRIB-2015-001 - OPAC - Cross-Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403313

Use CVE-2015-3343.

> SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2403333

Use CVE-2015-3344.

> SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection
> https://www.drupal.org/node/2403343

Use CVE-2015-3345.

> SA-CONTRIB-2015-004 - Context - Open Redirect
> https://www.drupal.org/node/2403351

Use CVE-2015-1051.


> SA-CONTRIB-2015-005 - WikiWiki - SQL injection
> https://www.drupal.org/node/2403375

Use CVE-2015-3346.

> SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - XSS

Use CVE-2015-3348.

> SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - CSRF
> https://www.drupal.org/node/2403447

Use CVE-2015-3347.

> SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403445

Use CVE-2015-3349.

> SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403451

Use CVE-2015-3355.

> SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2403459

Use CVE-2015-3361.

> SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403463

Use CVE-2015-3351.

> SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403465

Use CVE-2015-3350.

> SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2403487

Use CVE-2015-3352.

> SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2403489

Use CVE-2015-3353.

> SA-CONTRIB-2015-014 - Wishlist - XSS

Use CVE-2015-3355.

> SA-CONTRIB-2015-014 - Wishlist - CSRF
> https://www.drupal.org/node/2407313

Use CVE-2015-3354.

> SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407315

Use CVE-2015-3360.

> SA-CONTRIB-2015-016 - Tadaa! - CSRF

Use CVE-2015-3356.

> SA-CONTRIB-2015-016 - Tadaa! - Open Redirect
> https://www.drupal.org/node/2407321

Use CVE-2015-3358.

> SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407329

Use CVE-2015-3359.

> SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407341

Use CVE-2015-3362.

> SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect
> https://www.drupal.org/node/2407347

Use CVE-2015-3342.

> SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2407357

Use CVE-2015-3363.

> SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407395

Use CVE-2015-3364.

> SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2407401

Use CVE-2015-3365.

> SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2411527

Use CVE-2015-3368.

> SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2411523

Use CVE-2015-3366.

> SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2411539

Use CVE-2015-3367.

> SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2411573

Use CVE-2015-3369.

> SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2411579

Use CVE-2015-3376.

> SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request
> Forgery (CSRF)
> https://www.drupal.org/node/2411737

Use CVE-2015-3375.

> SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF)
> https://www.drupal.org/node/2411741

Use CVE-2015-3374.

> SA-CONTRIB-2015-030 - Amazon AWS - Access bypass
> https://www.drupal.org/node/2415873

Use CVE-2015-3373.

> SA-CONTRIB-2015-031 - GD Infinite Scroll - XSS

Use CVE-2015-1567.

> SA-CONTRIB-2015-031 - GD Infinite Scroll - CSRF

Use CVE-2015-1568.

> SA-CONTRIB-2015-031 - GD Infinite Scroll - Open Redirect
> https://www.drupal.org/node/2415885

There is no mention of an open redirect in this advisory, so no CVE is
assigned, as explained in a followup post by Pere Orga.

> SA-CONTRIB-2015-032 - Node Invite - XSS

Use CVE-2015-3370.

> SA-CONTRIB-2015-032 - Node Invite - CSRF
> https://www.drupal.org/node/2415899


Use CVE-2015-3372.

Use CVE-2015-3371 for the Open Redirect that was not mentioned in the
original request, but described in SA-CONTRIB-2015-032, as explained
in a followup post by Pere Orga.

> SA-CONTRIB-2015-033 - Certify - Access bypass
> SA-CONTRIB-2015-033 - Certify - Information disclosure
> https://www.drupal.org/node/2415947

It is not clear whether there should be a single CVE or multiple CVEs.

Both "Access bypass" and "Information Disclosure" are mentioned in
<font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple vulnerabilities."
However, SA-CONTRIB-2015-033 also says that "The module does not
sufficiently check node access when showing (and creating) the PDF
certificates. This can lead to users seeing certificates they should
not have access to."  This suggests a single root cause - lack of node
access checks - which could lead to information disclosure.  If so,
then from the CVE perspective, this would be one vulnerability and one
ID would be assigned.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.