oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)

From: cve-assign () mitre org
Date: Thu, 11 Jun 2015 10:08:48 -0400 (EDT)


SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect
https://www.drupal.org/node/2420089


Use CVE-2015-3393.


SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)
https://www.drupal.org/node/2420099


Use CVE-2015-3392.


SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS)
https://www.drupal.org/node/2420119


Use CVE-2015-3389.


SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass
https://www.drupal.org/node/2420139


Use CVE-2015-3391.


SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS)
https://www.drupal.org/node/2420161


Use CVE-2015-3390.


DRUPAL-SA-CONTRIB-2015-039 - Views - Open redirect


Use CVE-2015-3378.


DRUPAL-SA-CONTRIB-2015-039 - Views - Access bypass
https://www.drupal.org/node/2424403


Use CVE-2015-3379.


DRUPAL-SA-CONTRIB-2015-040 - Webform prepopulate block - XSS
https://www.drupal.org/node/2424405


Use CVE-2015-1621.


DRUPAL-SA-CONTRIB-2015-041 - Feature Set - CSRF
https://www.drupal.org/node/2424409


Use CVE-2015-3380.


DRUPAL-SA-CONTRIB-2015-042 - Node basket - CSRF


Use CVE-2015-3382.


DRUPAL-SA-CONTRIB-2015-042 - Node basket - XSS


Use CVE-2015-3381.


DRUPAL-SA-CONTRIB-2015-042 - Node basket - Open redirect
https://www.drupal.org/node/2424419


Use CVE-2015-3383.


DRUPAL-SA-CONTRIB-2015-043 - Commerce Balanced Payments - XSS


Use CVE-2015-3384.


DRUPAL-SA-CONTRIB-2015-043 - Commerce Balanced Payments - CSRF
https://www.drupal.org/node/2424435


Use CVE-2015-3388.


DRUPAL-SA-CONTRIB-2015-044 - Taxonomy Path - XSS
https://www.drupal.org/node/2424439


Use CVE-2015-3385.


DRUPAL-SA-CONTRIB-2015-045 - Node Access Product - XSS
https://www.drupal.org/node/2424349


Use CVE-2015-3386.


DRUPAL-SA-CONTRIB-2015-046 - Taxonomy Tools - XSS
https://www.drupal.org/node/2424355


Use CVE-2015-3387.


SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting
https://www.drupal.org/node/2428799


Use CVE-2015-2086.


SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution
https://www.drupal.org/node/2428793


Use CVE-2015-2087.


SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting
https://www.drupal.org/node/2428815


Use CVE-2015-2101.


SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass
https://www.drupal.org/node/2428851


Use CVE-2015-4344.


SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting
https://www.drupal.org/node/2428853


Use CVE-2015-2088.


SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass
https://www.drupal.org/node/2428863


Use CVE-2015-4345.


SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting
https://www.drupal.org/node/2437905


Use CVE-2015-2197.


SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting
https://www.drupal.org/node/2437943


Use CVE-2015-4346.


SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect
https://www.drupal.org/node/2437965


Use CVE-2015-2215.


SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting
https://www.drupal.org/node/2437969


Use CVE-2015-4347.


SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - SQL Injection


Use CVE-2015-4348.


SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities -
Cross Site Request Forgery
https://www.drupal.org/node/2437973


Use CVE-2015-4349.


SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery
https://www.drupal.org/node/2437977


Use CVE-2015-4350.


SA-CONTRIB-2015-059 - Spider Video Player - Arbitrary file deletion


Use CVE-2015-4351.


SA-CONTRIB-2015-059 - Spider Video Player - Cross Site Request Forgery
https://www.drupal.org/node/2437981


Use CVE-2015-4352.


SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery
https://www.drupal.org/node/2437985


Use CVE-2015-4353.


SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting
https://www.drupal.org/node/2437991


Use CVE-2015-4354.


SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery
https://www.drupal.org/node/2437993


Use CVE-2015-4355.


SA-CONTRIB-2015-063 has already been requested in
http://www.openwall.com/lists/oss-security/2015/03/22/35
SA-CONTRIB-2015-063 - Webform - XSS related to Webform Submissions


Use CVE-2015-4356.


SA-CONTRIB-2015-063 - Webform - XSS related to Blocks
https://www.drupal.org/node/2445935


Use CVE-2015-4357.


SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting
https://www.drupal.org/node/2445953


Use CVE-2015-4358.


SA-CONTRIB-2015-065 - Registration codes - Cross Site Scripting


Use CVE-2015-4359.


SA-CONTRIB-2015-065 - Registration codes - Cross Site Request Forgery
https://www.drupal.org/node/2445955


Use CVE-2015-4360.

We also noticed this comment:


https://www.drupal.org/node/2446157#comment-9717643
I found another CSRF in the regcode_og sub module.


We believe that the CSRF vulnerability in the regcode_og sub module
reported in Comment #11 was originally discovered by Pere Orga and
reported in SA-CONTRIB-2015-065.  It this is not the case, then MITRE
will assign a new CVE ID to the vulnerability.


https://www.drupal.org/node/2446157#comment-9699601
some CSRF fixes that allowed anyone to trick administrators to delete ... the
registration codes (6.x-1.x only).


Use CVE-2015-4361.


SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery
https://www.drupal.org/node/2445961


Use CVE-2015-4362.


SA-CONTRIB-2015-067 - Finder - Open Redirect
https://www.drupal.org/node/2445967


Use CVE-2015-4363.


SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery
https://www.drupal.org/node/2445971


Use CVE-2015-4364.  The scope of CVE-2015-4364 is limited to only the
enable and disable list subscription vectors.  Any other
vulnerabilities reported in https://www.drupal.org/node/2449747 would
need separate CVE IDs.


SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting
https://www.drupal.org/node/2445973


Use CVE-2015-4365.


SA-CONTRIB-2015-070 - Mover - Cross Site Scripting
https://www.drupal.org/node/2445977


Use CVE-2015-4366.


SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting
https://www.drupal.org/node/2446019


Use CVE-2015-4367.


SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass
https://www.drupal.org/node/2446051


Use CVE-2015-4368.


SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting
https://www.drupal.org/node/2446065


Use CVE-2015-4369.


SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting
https://www.drupal.org/node/2450387


Use CVE-2015-4370.


SA-CONTRIB-2015-075 - Perfecto - Open Redirect
https://www.drupal.org/node/2450391


Use CVE-2015-4371.


SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting
https://www.drupal.org/node/2450393


Use CVE-2015-4372.


SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting
https://www.drupal.org/node/2450427


Use CVE-2015-4373.


SA-CONTRIB-2015-078 has already been requested in
http://www.openwall.com/lists/oss-security/2015/03/22/35
SA-CONTRIB-2015-078 - Webform - XSS related to Webform Components
https://www.drupal.org/node/2454903


Use CVE-2015-4374.


SA-CONTRIB-2015-079 has already been requested in
http://www.openwall.com/lists/oss-security/2015/03/22/35
SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Access bypass


Use CVE-2015-4375.


SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Open redirect
https://www.drupal.org/node/2454909


Use CVE-2015-4398.


SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting
https://www.drupal.org/node/2455011


Use CVE-2015-4376.


SA-CONTRIB-2015-081 - Petition - Cross Site Scripting
https://www.drupal.org/node/2459311


Use CVE-2015-4377.


SA-CONTRIB-2015-082 - Crumbs - Cross Site Scripting
https://www.drupal.org/node/2459315


Use CVE-2015-4378.


SA-CONTRIB-2015-083 - Webform Multiple File Upload - Cross Site Request Forgery
https://www.drupal.org/node/2459323


Use CVE-2015-4379.


SA-CONTRIB-2015-084 - Linear Case - Cross Site Scripting
https://www.drupal.org/node/2459327


Use CVE-2015-4380.


SA-CONTRIB-2015-085 - Invoice - Cross Site Scripting


Use CVE-2015-4381.


SA-CONTRIB-2015-085 - Invoice - Cross Site Request Forgery
https://www.drupal.org/node/2459337


Use CVE-2015-4382.


SA-CONTRIB-2015-086 - Decisions - Cross Site Request Forgery
https://www.drupal.org/node/2459349


Use CVE-2015-4383.


SA-CONTRIB-2015-087 - Ubercart Webform Checkout Pane - Cross Site Scripting
https://www.drupal.org/node/2459359


Use CVE-2015-4384.


SA-CONTRIB-2015-088 - Imagefield Info - Cross Site Scripting
https://www.drupal.org/node/2463823


Use CVE-2015-4385.


SA-CONTRIB-2015-089 - EntityBulkDelete - Cross Site Scripting
https://www.drupal.org/node/2463831


Use CVE-2015-4386.


SA-CONTRIB-2015-090 - Password Policy - Cross Site Scripting
https://www.drupal.org/node/2463835


Use CVE-2015-4387.


SA-CONTRIB-2015-091 - Current Search Links - Cross Site Scripting
https://www.drupal.org/node/2463843


Use CVE-2015-4388.


SA-CONTRIB-2015-092 - Open Graph Importer - Access bypass
https://www.drupal.org/node/2463891


Use CVE-2015-4389.


SA-CONTRIB-2015-093 - User Import - Cross Site Request Forgery
https://www.drupal.org/node/2463949


Use CVE-2015-4390.


SA-CONTRIB-2015-094 - CiviCRM private report - Cross Site Request Forgery
https://www.drupal.org/node/2467697


Use CVE-2015-4391.


SA-CONTRIB-2015-095 - Display Suite - Cross Site Scripting
https://www.drupal.org/node/2471733


Use CVE-2015-4392.


SA-CONTRIB-2015-096 - Services - Access bypass (file upload and execution)


Use CVE-2015-4393.


SA-CONTRIB-2015-096 - Services - Information Disclosure
https://www.drupal.org/node/2471879


Use CVE-2015-4394.


SA-CONTRIB-2015-097 - HybridAuth Social Login - Information Disclosure
https://www.drupal.org/node/2475943


Use CVE-2015-4395.


SA-CONTRIB-2015-098 - Keyword Research - Cross Site Request Forgery
https://www.drupal.org/node/2475953


Use CVE-2015-4396.


SA-CONTRIB-2015-099 - Node Template - Cross Site Scripting
https://www.drupal.org/node/2475955


Use CVE-2015-4397.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Previous By Date Next
Previous By Thread Next

Current thread: