oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 06 Apr 2012 23:41:36 -0600
So I went through all the Drupal contrib modules for 2012, 4 already
have CVE's, 3 are not security issues/not clear ("may also have an sql
injection" isn't quite enough). The data is below in CSV format and
attached as a file since the line wraps are mangling it up. Data is in
the form:

"CVE(or note)",SA#","description","URL"

=====================

"CVE-2012-1623","SA-CONTRIB-2012-001","Registration Codes - Access
bypass","https://drupal.org/node/1394172";
"CVE-2012-1624","SA-CONTRIB-2012-002","Lingotek - Cross Site
Scripting","https://drupal.org/node/1394220";
"CVE-2012-1625","SA-CONTRIB-2012-003","Fill PDF - Multiple
vulnerabilities","https://drupal.org/node/1394428";
"CVE-2012-1626","SA-CONTRIB-2012-004","Date - SQL
injection","https://drupal.org/node/1401434";
"CVE-2012-1627","SA-CONTRIB-2012-005","Vote up/down - Cross Site
Scripting","https://drupal.org/node/1401580";
"CVE-2012-1628","SA-CONTRIB-2012-006","SuperCron –
XSS","https://drupal.org/node/1401644";
"CVE-2012-1629","SA-CONTRIB-2012-006","Taxotouch –
XSS","https://drupal.org/node/1401644";
"CVE-2012-1630","SA-CONTRIB-2012-006","Taxonomy Navigator –
XSS","https://drupal.org/node/1401644";
"CVE-2012-1631","SA-CONTRIB-2012-006","Admin:hover –
CSRF","https://drupal.org/node/1401644";
"CVE-2012-1632","SA-CONTRIB-2012-007","Password Policy –
XSS","https://drupal.org/node/1401678";
"CVE-2012-1633","SA-CONTRIB-2012-007","Password Policy –
CSRF","https://drupal.org/node/1401678";
"CVE-2012-1634","SA-CONTRIB-2012-008","Video Filter - Cross Site
Scripting","https://drupal.org/node/1401838";
"CVE-2012-1635","SA-CONTRIB-2012-009","Revisioning - Access
bypass","https://drupal.org/node/1409268";
"CVE-2012-1636","SA-CONTRIB-2012-010","stickynote - Multiple
vulnerabilities","https://drupal.org/node/1409422";
"ALREADY CVE-2012-0914","SA-CONTRIB-2012-011","Panels - Cross Site
Scripting (XSS)","https://drupal.org/node/1409436";
"CVE-2012-1637","SA-CONTRIB-2012-012","Quicktabs - Cross Site Scripting
(XSS)","https://drupal.org/node/1409476";
"CVE-2012-1638","SA-CONTRIB-2012-013","Search Autocomplete - SQL
Injection","https://drupal.org/node/1416612";
"CVE-2012-1639","SA-CONTRIB-2012-014","Drupal Commerce - Cross Site
Scripting (XSS)","https://drupal.org/node/1416824";
"CVE-2012-1640","SA-CONTRIB-2012-015","Managesite - Cross Site Scripting
(XSS)","https://drupal.org/node/1417000";
"ALREADY CVE-2012-1057","SA-CONTRIB-2012-016","Forward module
CSRF","https://drupal.org/node/1425150";
"ALREADY CVE-2012-1056","SA-CONTRIB-2012-016","Forward module Access
bypass","https://drupal.org/node/1425150";
"CVE-2012-1641","SA-CONTRIB-2012-017","Finder - Multiple
vulnerabilities","https://drupal.org/node/1432970";
"ALREADY CVE-2012-1060","SA-CONTRIB-2012-018","Revisioning - Cross Site
Scripting","https://drupal.org/node/1433550";
"CVE-2012-1642","SA-CONTRIB-2012-019","Link checker - Access
bypass","https://drupal.org/node/1441252";
"CVE-2012-1643","SA-CONTRIB-2012-020","Faster Permissions - Access
bypass","https://drupal.org/node/1441448";
"CVE-2012-1644","SA-CONTRIB-2012-021","Organic Groups Vocab Access
Bypass","https://drupal.org/node/1441450";
"CVE-2012-1645","SA-CONTRIB-2012-022","CDN - Information disclosure
","https://drupal.org/node/1441502";
"CVE-2012-1646","SA-CONTRIB-2012-023","FAQ - Cross Site
Scripting","https://drupal.org/node/1451194";
"CVE-2012-1647","SA-CONTRIB-2012-024","MediaFront - Cross Site
Scripting","https://drupal.org/node/1461424";
"CVE-2012-1648","SA-CONTRIB-2012-025","Cool aid; Editable help messages
 - XSS","https://drupal.org/node/1461438";
"CVE-2012-1649","SA-CONTRIB-2012-025","Cool aid; Editable help messages
 - access bypass","https://drupal.org/node/1461438";
"CVE-2012-1650","SA-CONTRIB-2012-026","ZipCart - Access
bypass","https://drupal.org/node/1461446";
"CVE-2012-1651","SA-CONTRIB-2012-027","Submenu Tree -Cross Site
Scripting","https://drupal.org/node/1461470";
"CVE-2012-1652","SA-CONTRIB-2012-028","Hierarchical Select - Cross Site
Scripting (XSS)","https://drupal.org/node/1461724";
"CVE-2012-1653","SA-CONTRIB-2012-029","Taxonomy Views Integrator - Cross
Site Scripting (XSS)","https://drupal.org/node/1461892";
"CVE-2012-1654","SA-CONTRIB-2012-030","Data - Cross Site Scripting
(XSS)","https://drupal.org/node/1471780";
"CVE-2012-1655","SA-CONTRIB-2012-031","UC PayDutchGroup / WeDeal payment
credential exposure","https://drupal.org/node/1471800";
"CVE-2012-1656","SA-CONTRIB-2012-031","Multisite Search SQL
Injection","https://drupal.org/node/1471800";
"CVE-2012-1657","SA-CONTRIB-2012-032 ","Block Class - Cross Site
scripting ","https://drupal.org/node/1471808";
"CVE-2012-1658","SA-CONTRIB-2012-033","Read More Link - Cross Site
Scripting","https://drupal.org/node/1471822";
"CVE-2012-1659","SA-CONTRIB-2012-034","Node Recommendation Cross Site
Scripting (XSS)","https://drupal.org/node/1471940";
"CVE-2012-1660","SA-CONTRIB-2012-035","Webform Cross Site Scripting
(XSS)","https://drupal.org/node/1472214";
"CVE-2012-2056","SA-CONTRIB-2012-036","Content Lock
CSRF","https://drupal.org/node/1482126";
"CVE-2012-2057","SA-CONTRIB-2012-036","Ubercart Bulk Stock Updater
CSRF","https://drupal.org/node/1482126";
"CVE-2012-2058","SA-CONTRIB-2012-036","Ubercart Payflow payment
forgery","https://drupal.org/node/1482126";
"CVE-2012-2059","SA-CONTRIB-2012-036","ticketyboo News Ticker
XSS","https://drupal.org/node/1482126";
"NO CVE","SA-CONTRIB-2012-036","ticketyboo “It may also have a SQL
injection vector.”","https://drupal.org/node/1482126";
"CVE-2012-2060","SA-CONTRIB-2012-036","Admin tools
XSS","https://drupal.org/node/1482126";
"CVE-2012-2061","SA-CONTRIB-2012-036","Admin tools
CSRF","https://drupal.org/node/1482126";
"CVE-2012-2062","SA-CONTRIB-2012-036","Redirecting click bouncer – open
redirect","https://drupal.org/node/1482126";
"CVE-2012-2063","SA-CONTRIB-2012-037","Slidebox - access
bypass","https://drupal.org/node/1482342";
"CVE-2012-2064","SA-CONTRIB-2012-038","Views Language Switcher Cross
Site Scripting (XSS)","https://drupal.org/node/1482420";
"CVE-2012-2065","SA-CONTRIB-2012-039","Language Icons - Cross Site
Scripting (XSS)","https://drupal.org/node/1482428";
"CVE-2012-2066","SA-CONTRIB-2012-040","CKEditor and FCKeditor - multiple
XSS","https://drupal.org/node/1482528";
"CVE-2012-2067","SA-CONTRIB-2012-040","CKEditor and FCKeditor –
arbitrary code execution","https://drupal.org/node/1482528";
"CVE-2012-2068","SA-CONTRIB-2012-041","Fancy Slide - Cross Site
Scripting (XSS)","https://drupal.org/node/1482744";
"CVE-2012-2069","SA-CONTRIB-2012-042","Wishlist Cross Site Scripting
(XSS)","https://drupal.org/node/1492624";
"CVE-2012-2070","SA-CONTRIB-2012-043","MultiBlock - Cross Site
Scripting","https://drupal.org/node/1506390";
"CVE-2012-2071","SA-CONTRIB-2012-044","Contact Forms - Cross Site
Scripting","https://drupal.org/node/1506404";
"CVE-2012-2072","SA-CONTRIB-2012-045","AddToAny - Cross Site
Scripting","https://drupal.org/node/1506412";
"CVE-2012-2073","SA-CONTRIB-2012-046","Bundle Copy - Arbitrary Code
execution","https://drupal.org/node/1506420";
"CVE-2012-2074","SA-CONTRIB-2012-047","Ubercart Views - Information
disclosure","https://drupal.org/node/1506428";
"CVE-2012-2075","SA-CONTRIB-2012-048","Contact Save - Cross Site
Scripting","https://drupal.org/node/1506438";
"CVE-2012-2076","SA-CONTRIB-2012-049","ShareThis -
XSS","https://drupal.org/node/1506448";
"CVE-2012-2077","SA-CONTRIB-2012-049","ShareThis -
CSRF","https://drupal.org/node/1506448";
"NO CVE","SA-CONTRIB-2012-050","CDN2 Video -
Unsupported","https://drupal.org/node/1506542";
"CVE-2012-2078","SA-CONTRIB-2012-051","Activity
XSS","https://drupal.org/node/1506562";
"CVE-2012-2079","SA-CONTRIB-2012-051","Activity
CSRF","https://drupal.org/node/1506562";
"CVE-2012-2080","SA-CONTRIB-2012-052","Node Limit Number - Cross Site
Request Forgery","https://drupal.org/node/1506728";
"CVE-2012-2081","SA-CONTRIB-2012-053","Organic Groups - Access
Bypass","https://drupal.org/node/1507446";
"CVE-2012-2082","SA-CONTRIB-2012-054","Chaos tool suite - Cross Site
Scripting (XSS)","https://drupal.org/node/1507466";
"CVE-2012-2083","SA-CONTRIB-2012-055","Fusion theme - Cross Site
Scripting (XSS)","https://drupal.org/node/1507510";
"NO CVE","SA-CONTRIB-2012-056","Janrain Engage - Sensitive Data
Protection Vulnerability","https://drupal.org/node/1515282";
"CVE-2012-2084","SA-CONTRIB-2012-057","Printer, email and PDF versions -
Cross Site Scripting (XSS)","https://drupal.org/node/1515722";



-- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: CVE-Drupal-Contrib-001-057.csv
Description:

Previous By Date Next
Previous By Thread Next

Current thread: