oss-sec mailing list archives
CVE request for Drupal core, and contributed modules
From: Forest Monsen <forest.monsen () gmail com>
Date: Fri, 6 Dec 2013 15:19:18 -0800
Hi there, here is a combined request for CVE identifiers for Drupal core, and contributed modules. First, core: SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities https://drupal.org/SA-CORE-2013-003 - "Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)": Correct me if I'm wrong, but I read this as a single vulnerability in the underlying core CSRF prevention code; it manifests differently based on the user-created ("contrib") callbacks that employ it. - "Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)": Not sure if further classification of this one is necessary. - "Code execution prevention" for the "files" directory .htaccess for Apache: Execution of local code. - Access bypass in security token validation (as performed by drupal_valid_token() ). - Cross-site scripting in Drupal core's Image module. - Open redirect in Drupal core's Overlay module. Now the contributed modules: SA-CONTRIB-2013-093 - Invitation - Access Bypass https://drupal.org/node/2140097 SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS) https://drupal.org/node/2140123 SA-CONTRIB-2013-095 - Organic Groups - Access bypass https://drupal.org/node/2140217 SA-CONTRIB-2013-096 - Entity reference - Access bypass https://drupal.org/node/2140237 SA-CONTRIB-2013-097 - OG Features - Access bypass https://drupal.org/node/2149791 Thanks! Forest
Current thread:
- CVE request for Drupal core, and contributed modules Forest Monsen (Dec 06)
- Re: CVE request for Drupal core, and contributed modules Henri Salo (Dec 06)
- Re: CVE request for Drupal core, and contributed modules Forest Monsen (Dec 07)
- Re: CVE request for Drupal core, and contributed modules Kurt Seifried (Dec 07)
- Re: CVE request for Drupal core, and contributed modules Forest Monsen (Dec 09)
- Re: CVE request for Drupal core, and contributed modules Forest Monsen (Dec 07)
- Re: CVE request for Drupal core, and contributed modules Henri Salo (Dec 06)
- Re: CVE request for Drupal core, and contributed modules Forest Monsen (Dec 09)
- Re: CVE request for Drupal core, and contributed modules cve-assign (Dec 11)