Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 2 Sep 2015 22:17:35 +0200
From: Pere Orga <pere@...a.cat>
To: cve-assign@...re.org
Cc: Security Team <security@...pal.org>, oss-security@...ts.openwall.com
Subject: Re: CVE requests for Drupal contributed modules (from
 SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)

Hi

On Tue, Aug 18, 2015 at 6:30 PM,  <cve-assign@...re.org> wrote:

[..]

>> Novalnet Payment Module Ubercart - SQL Injection - SA-CONTRIB-2015-116
>> https://www.drupal.org/node/2499787
>
>
>> The module fails to sanitize a database query by not using the database
>> API properly, thereby leading to a SQL Injection vulnerability.
>
>
> Use CVE-2015-5504.
>
>> Since the affected path is not protected against CSRF, a malicious user
>> can
>> exploit this vulnerability by triggering a request to a specially-crafted
>> URL.
>
>
> It is not clear to us if this CSRF issue is exploitable.  The attack
> seems to be against a Novalnet employee, but it is not known if
> Novalnet employees have access to the specific IP in a way that would
> make the exploit feasible.
>

At the time Novalnet was notified, they did not provide any details
but acknowledged the issue and stated their will to fix it. It is not
certain if the issue is exploitable.

>> Novalnet Payment Module Drupal Commerce - SQL Injection -
>> SA-CONTRIB-2015-117
>> https://www.drupal.org/node/2499791
>
>
> We believe that the Novalnet Payment Module Drupal Commerce module may
> share a codebase with the Novalnet Payment Module Ubercart module in
> SA-CONTRIB-2015-116.
>
> If you can confirm that the vulnerable code in SA-CONTRIB-2015-117 is
> different from the code in SA-CONTRIB-2015-116, then we will issue a
> separate CVE ID.  Otherwise, use CVE-2015-5504 for this vulnerability.
>

It is the same vulnerable code, so we'll reuse CVE-2015-5504.

[..]

>> jQuery Update - Open Redirect - SA-CONTRIB-2015-123
>> https://www.drupal.org/node/2507729
>>
>> LABjs - Open Redirect - SA-CONTRIB-2015-124
>> https://www.drupal.org/node/2507735
>>
>> Acquia Cloud Site Factory Connector - Open Redirect - SA-CONTRIB-2015-125
>> https://www.drupal.org/node/2507741
>
>
> A new CVE might not be necessary.
>
> We believe that SA-CONTRIB-2015-123, SA-CONTRIB-2015-124, and
> SA-CONTRIB-2015-125 share the same codebase (Overlay JavaScript file)
> as the Overlay module in SA-CORE-2015-002, which has been issued
> CVE-2015-3233.

Yes, these projects were affected in the same way because they shared
the same vulnerable code of Drupal core. Reusing CVE-2015-3233.

Updating our records, thanks.

Regards
Pere Orga on behalf of the Drupal Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.