oss-sec mailing list archives
Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 25 Mar 2013 06:02:21 -0400 (EDT)
Hi Kurt, thanks for assigning the CVE id. To follow-up on the doubt below yet. ----- Original Message -----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/22/2013 07:23 AM, Jan Lieskovsky wrote:Hello Kurt, Steve, Drupal Security Team, vendors, Drupal upstream has released: [1] http://drupal.org/node/1948358CVE-2013-1887and updated version of the Views module (Views 7.x-3.6): [2] http://drupal.org/node/1948354 correcting one cross-site scripting (XSS) flaw.The security issue in views is caused by various places in the views UI where a string is not sanitized, because it has been assumed to be static and by commiters, though you can change some of these strings using other administrative permissions. SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS) I'm a bit confused, is this via SA-CONTRIB-2013-035 or a separate issue as well?
Those are the same issues (it's possible to get from SA-CONTRIB-2013-035 link to the http://drupal.org/node/1948354 link [just click in at Views 7.x-3.6 in SA-CONTRIB-2013-035]). In yet other words, looks like CVE-2013-1887 (previously) occurred at various places. Relevant upstream patch seems to be this one: http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
AFAICT from [1], there doesn't seem to be a CVE identifier for this issue yet. Could you allocate one?
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRTMJrAAoJEBYNRVNeJnmTjIUP/0rn+yNqLpAPVoZJOKKjzC/O AComiUFEBzLPxWbJGPS8aEY738ABh3G557U3QH0xab0WKHsq4y7pOb8i2iGmUTOM 9t62qmZssTf80omcPZ0rKMo+dZXIXrwNsQbqB/yApuVixfbbUPKf4vF8PQVraijm NaBt/Gjl7G7bpHW5ZqellBNO7eHEUqAt2FQZp+UcWfR7NFASef+8BR6plrco/Sjn c75GySKWia99lm7qt65Q8ddT2P9ECQIoDileWzWyrWhqHpsTilWGTe+xyF5fzob4 Zz6Z/EE0VP/ZIbfLaNip2+8Oa665T1B2tgLuUDV3jrRu11lnB3vcNfAErWdwSULM sy98z8NujPPmPhXa2F1jIqZN9adPHjYuvOOEYOdZL+yiA698XxRQKmHkHom4cB4Y FpXk/F+YrTE+Qn0XayJZriEUIzVe8z1LWC8lQDA8xWmCEptu81fIVd97A6Tk2MrV 4Z2pNuJ1Z3EGkZBuFNbf1FZ6M8KTbwE8qz0gEia0GpmNDegecUWewxtlxqRM4xLD CVfpYWN3EsS2u2M7Maw2kdHWuWjxaS69xLncVKaDB5oEFrpU61PIhLoglneDdZxH BgANfSjucbxvfeOWapjk0GPd9cNKQ5jtKMRZb/x6JtkLBjX+GZTMlDvI82A0BN76 JOYCC9mTQ1uRfCHsITzV =gTiE -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS) Jan Lieskovsky (Mar 22)
- Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS) Kurt Seifried (Mar 22)
- Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS) Jan Lieskovsky (Mar 25)
- Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS) Kurt Seifried (Mar 22)