oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request for Drupal core, and contributed modules

From: Forest Monsen <forest.monsen () gmail com>
Date: Fri, 6 Dec 2013 15:19:18 -0800
Hi there, here is a combined request for CVE identifiers for Drupal core,
and contributed modules.

First, core:
SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities
 https://drupal.org/SA-CORE-2013-003

- "Multiple vulnerabilities due to optimistic cross-site request forgery
protection (Form API validation - Drupal 6 and 7)": Correct me if I'm
wrong, but I read this as a single vulnerability in the underlying core
CSRF prevention code; it manifests differently based on the user-created
("contrib") callbacks that employ it.

- "Multiple vulnerabilities due to weakness in pseudorandom number
generation using mt_rand() (Form API, OpenID and random password generation
- Drupal 6 and 7)": Not sure if further classification of this one is
necessary.

- "Code execution prevention" for the "files" directory .htaccess for
Apache: Execution of local code.

- Access bypass in security token validation (as performed by
drupal_valid_token() ).

- Cross-site scripting in Drupal core's Image module.

- Open redirect in Drupal core's Overlay module.

Now the contributed modules:
SA-CONTRIB-2013-093 - Invitation - Access Bypass
https://drupal.org/node/2140097

SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)
https://drupal.org/node/2140123

SA-CONTRIB-2013-095 - Organic Groups - Access bypass
https://drupal.org/node/2140217

SA-CONTRIB-2013-096 - Entity reference - Access bypass
https://drupal.org/node/2140237

SA-CONTRIB-2013-097 - OG Features - Access bypass
https://drupal.org/node/2149791

Thanks!

Forest
Previous By Date Next
Previous By Thread Next

Current thread: