Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Oct 2015 11:50:44 +0000
From: "Evans, Jonathan L." <jevans@...re.org>
To: "pere@...a.cat" <pere@...a.cat>
CC: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	Drupal Security Team <security@...pal.org>, CVE ID Requests
	<cve-assign@...re.org>
Subject: Re: CVE Requests for Drupal contributed modules (from
 SA-CONTRIB-2015-132 to SA-CONTRIB-2015-156)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE IDs were assigned by MITRE to most of the vulnerabilities in 
SA-CONTRIB-2015-132 through SA-CONTRIB-2015-151 before this request was made.  
To help avoid duplicates, we request that you check the existing IDs before 
asking for a new one. 

> SA-CONTRIB-2015-132 - Administration Views - Information Disclosure
> https://www.drupal.org/node/2529378

Use CVE-2015-7226.

> SA-CONTRIB-2015-133 - Path Breadcrumbs - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2533926

Use CVE-2015-6754.

> SA-CONTRIB-2015-134 - OSF for Drupal - Cross Site Scripting

Use CVE-2015-7232.

> SA-CONTRIB-2015-134 - OSF for Drupal - Cross Site Request Forgery

Use CVE-2015-7233.

> SA-CONTRIB-2015-134 - OSF for Drupal - Access bypass
> https://www.drupal.org/node/2537860

Use CVE-2015-7234.

> SA-CONTRIB-2015-135 - Time Tracker - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2537866

Use CVE-2015-6751.

> SA-CONTRIB-2015-136 - Commerce Commonwealth (CBA) - Insufficient
> Verification of API Data
> https://www.drupal.org/node/2542380

Use CVE-2015-7231.

> SA-CONTRIB-2015-137 - Quick Edit - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2546164

Use CVE-2015-6753.

> SA-CONTRIB-2015-138 - Compass Rose - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2546174

The advisory is not clear whether the vulnerability is in the unnamed Javascript 
library or the Compass Rose module.  If the former, we need to know the name of 
the library to ensure we do not issue a duplicate ID.

> SA-CONTRIB-2015-139 - Workbench Email - Access bypass
> https://www.drupal.org/node/2553971

Use CVE-2015-7230.

> SA-CONTRIB-2015-140 - Search API Autocomplete - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2553977

Use CVE-2015-6752.

> SA-CONTRIB-2015-141 - Ctools - Cross Site Scripting (XSS)

Use CVE-2015-6665.  This vulnerability was merged with Ajax system XSS 
vulnerability in SA-CORE-2015-003.

> SA-CONTRIB-2015-141 - Ctools - Access bypass
> https://www.drupal.org/node/2554145

Use CVE-2015-7875.

> SA-CONTRIB-2015-142 - Spotlight - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2561375

Use CVE-2015-6808.

> SA-CONTRIB-2015-143 - Zendesk Feedback Tab - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2561893

Use CVE-2015-6921.

> SA-CONTRIB-2015-144 - Mass Contact - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2561951

Use CVE-2015-6807.

> SA-CONTRIB-2015-145 - Fieldable Panels Panes - Access bypass
> https://www.drupal.org/node/2561971

Use CVE-2015-7227.

> SA-CONTRIB-2015-146 - Twitter - Access bypass
> https://www.drupal.org/node/2565827

Use CVE-2015-7229.

> SA-CONTRIB-2015-147 - RESTful - Access bypass
> https://www.drupal.org/node/2565875

Use CVE-2015-7228.

> SA-CONTRIB-2015-148 - Drupal 7 driver for SQL Server and SQL Azure -
> SQL Injection
> https://www.drupal.org/node/2569577

Use CVE-2015-7876.

> SA-CONTRIB-2015-149 - amoCRM - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2569587

Use CVE-2015-7304.

> SA-CONTRIB-2015-150 - CMS Updater - Access bypass

Use CVE-2015-7306.

> SA-CONTRIB-2015-150 - CMS Updater - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2569599

Use CVE-2015-7307.

> SA-CONTRIB-2015-151 - Scald - Information Disclosure
> https://www.drupal.org/node/2569631

Use CVE-2015-7305.

> SA-CONTRIB-2015-152 - User Dashboard - SQL Injection
> https://www.drupal.org/node/2577901

Use CVE-2015-7877.

> SA-CONTRIB-2015-153 - Taxonomy Find - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2577903

Use CVE-2015-7878.

> SA-CONTRIB-2015-154 - Stickynote - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2581997

Use CVE-2015-7879.

> SA-CONTRIB-2015-155 - Entity Registration - Information Disclosure
> https://www.drupal.org/node/2582015

Use CVE-2015-7880.

> SA-CONTRIB-2015-156 - Colorbox - Access bypass
> https://www.drupal.org/node/2582071

Use CVE-2015-7881.

- - --
CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through 
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWJ3sIAAoJEL54rhJi8gl5FjUP/RldLArN7ZS5yPa8AwsW7WPl
wni0Rfpn/dFgbozBRiYzuYngg0lgBwkG5DdTXp5Q8kOAxVaniFMoOBrGh00QC5fg
9NxagOE1EJaNX8HdHBZzEHXpG1bD/Vb9SyrBAXiuOx23TXGqbOg3Lpht1r9GNL64
jWP1mLeqkNuxQtv8OGklfJP+fBCxTtExeGzdKZKpWDB9Ns5hVZtFLvD2CEyiIDOF
Rc+C8Db1CYqjfDW2aiIR1CUfdNMTjH44zXJ8Bi0ua/cKRtI9jrn/u1wlZmvpuyY/
ue1vpmWc8KL6JcPLEoXfH41iCAOqZI0nVoEeUAPaxkl6B2bWT+kvmkFJTru5Zh4/
AhAnnNGjfji8hJLCnxzy7fddI319DD9W7HeXNG7NpqPL7nQpKt5C5x03GXtD9mlF
Mjq6CnN3cOxz/mW2dDtPI0Pwwxa247oWUx3DBQaio2GqtmyLNgmdN1OlHndF2HOp
0kUzuWHPyA6GKJD8C0Qhtzo+eh0sQvBs8p3lm9wh91RGIa/3yPuRMZdymQM0Fi18
p54cyR+TpYwqPAWPhtJ84TrTA+GKWMME+THH1RoPJn9WUoYBzuRmYG7c23G5+aPH
KP14X/TBX1z3QzOTlSBA3AkwciImipBX3juExdgbW2/nVgWH2x2QfPGXGrUilFty
hgQH1fMVvGnBPlJEdkVk
=2xxh
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.