oss-sec mailing list archives
Re: Re: CVEs for Drupal contributed modules - January 2015
From: cve-assign () mitre org
Date: Tue, 21 Apr 2015 13:52:13 -0400 (EDT)
SA-CONTRIB-2015-001 - OPAC - Cross-Site Request Forgery (CSRF) https://www.drupal.org/node/2403313
Use CVE-2015-3343.
SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS) https://www.drupal.org/node/2403333
Use CVE-2015-3344.
SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection https://www.drupal.org/node/2403343
Use CVE-2015-3345.
SA-CONTRIB-2015-004 - Context - Open Redirect https://www.drupal.org/node/2403351
Use CVE-2015-1051.
SA-CONTRIB-2015-005 - WikiWiki - SQL injection https://www.drupal.org/node/2403375
Use CVE-2015-3346.
SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - XSS
Use CVE-2015-3348.
SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - CSRF https://www.drupal.org/node/2403447
Use CVE-2015-3347.
SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2403445
Use CVE-2015-3349.
SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2403451
Use CVE-2015-3355.
SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS) https://www.drupal.org/node/2403459
Use CVE-2015-3361.
SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2403463
Use CVE-2015-3351.
SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2403465
Use CVE-2015-3350.
SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2403487
Use CVE-2015-3352.
SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS) https://www.drupal.org/node/2403489
Use CVE-2015-3353.
SA-CONTRIB-2015-014 - Wishlist - XSS
Use CVE-2015-3355.
SA-CONTRIB-2015-014 - Wishlist - CSRF https://www.drupal.org/node/2407313
Use CVE-2015-3354.
SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS) https://www.drupal.org/node/2407315
Use CVE-2015-3360.
SA-CONTRIB-2015-016 - Tadaa! - CSRF
Use CVE-2015-3356.
SA-CONTRIB-2015-016 - Tadaa! - Open Redirect https://www.drupal.org/node/2407321
Use CVE-2015-3358.
SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS) https://www.drupal.org/node/2407329
Use CVE-2015-3359.
SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS) https://www.drupal.org/node/2407341
Use CVE-2015-3362.
SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect https://www.drupal.org/node/2407347
Use CVE-2015-3342.
SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2407357
Use CVE-2015-3363.
SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS) https://www.drupal.org/node/2407395
Use CVE-2015-3364.
SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS) https://www.drupal.org/node/2407401
Use CVE-2015-3365.
SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS) https://www.drupal.org/node/2411527
Use CVE-2015-3368.
SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2411523
Use CVE-2015-3366.
SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2411539
Use CVE-2015-3367.
SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS) https://www.drupal.org/node/2411573
Use CVE-2015-3369.
SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS) https://www.drupal.org/node/2411579
Use CVE-2015-3376.
SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2411737
Use CVE-2015-3375.
SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) https://www.drupal.org/node/2411741
Use CVE-2015-3374.
SA-CONTRIB-2015-030 - Amazon AWS - Access bypass https://www.drupal.org/node/2415873
Use CVE-2015-3373.
SA-CONTRIB-2015-031 - GD Infinite Scroll - XSS
Use CVE-2015-1567.
SA-CONTRIB-2015-031 - GD Infinite Scroll - CSRF
Use CVE-2015-1568.
SA-CONTRIB-2015-031 - GD Infinite Scroll - Open Redirect https://www.drupal.org/node/2415885
There is no mention of an open redirect in this advisory, so no CVE is assigned, as explained in a followup post by Pere Orga.
SA-CONTRIB-2015-032 - Node Invite - XSS
Use CVE-2015-3370.
SA-CONTRIB-2015-032 - Node Invite - CSRF https://www.drupal.org/node/2415899
Use CVE-2015-3372. Use CVE-2015-3371 for the Open Redirect that was not mentioned in the original request, but described in SA-CONTRIB-2015-032, as explained in a followup post by Pere Orga.
SA-CONTRIB-2015-033 - Certify - Access bypass SA-CONTRIB-2015-033 - Certify - Information disclosure https://www.drupal.org/node/2415947
It is not clear whether there should be a single CVE or multiple CVEs. Both "Access bypass" and "Information Disclosure" are mentioned in <font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple vulnerabilities." However, SA-CONTRIB-2015-033 also says that "The module does not sufficiently check node access when showing (and creating) the PDF certificates. This can lead to users seeing certificates they should not have access to." This suggests a single root cause - lack of node access checks - which could lead to information disclosure. If so, then from the CVE perspective, this would be one vulnerability and one ID would be assigned. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- Re: Re: CVEs for Drupal contributed modules - January 2015 cve-assign (Apr 21)
- Re: Re: CVEs for Drupal contributed modules - January 2015 Pere Orga (Apr 21)
- Message not available
- Re: Re: CVEs for Drupal contributed modules - January 2015 cve-assign (Apr 22)