oss-sec mailing list archives
Re: CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099)
From: cve-assign () mitre org
Date: Thu, 11 Jun 2015 10:08:48 -0400 (EDT)
SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect https://www.drupal.org/node/2420089
Use CVE-2015-3393.
SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS) https://www.drupal.org/node/2420099
Use CVE-2015-3392.
SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) https://www.drupal.org/node/2420119
Use CVE-2015-3389.
SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass https://www.drupal.org/node/2420139
Use CVE-2015-3391.
SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) https://www.drupal.org/node/2420161
Use CVE-2015-3390.
DRUPAL-SA-CONTRIB-2015-039 - Views - Open redirect
Use CVE-2015-3378.
DRUPAL-SA-CONTRIB-2015-039 - Views - Access bypass https://www.drupal.org/node/2424403
Use CVE-2015-3379.
DRUPAL-SA-CONTRIB-2015-040 - Webform prepopulate block - XSS https://www.drupal.org/node/2424405
Use CVE-2015-1621.
DRUPAL-SA-CONTRIB-2015-041 - Feature Set - CSRF https://www.drupal.org/node/2424409
Use CVE-2015-3380.
DRUPAL-SA-CONTRIB-2015-042 - Node basket - CSRF
Use CVE-2015-3382.
DRUPAL-SA-CONTRIB-2015-042 - Node basket - XSS
Use CVE-2015-3381.
DRUPAL-SA-CONTRIB-2015-042 - Node basket - Open redirect https://www.drupal.org/node/2424419
Use CVE-2015-3383.
DRUPAL-SA-CONTRIB-2015-043 - Commerce Balanced Payments - XSS
Use CVE-2015-3384.
DRUPAL-SA-CONTRIB-2015-043 - Commerce Balanced Payments - CSRF https://www.drupal.org/node/2424435
Use CVE-2015-3388.
DRUPAL-SA-CONTRIB-2015-044 - Taxonomy Path - XSS https://www.drupal.org/node/2424439
Use CVE-2015-3385.
DRUPAL-SA-CONTRIB-2015-045 - Node Access Product - XSS https://www.drupal.org/node/2424349
Use CVE-2015-3386.
DRUPAL-SA-CONTRIB-2015-046 - Taxonomy Tools - XSS https://www.drupal.org/node/2424355
Use CVE-2015-3387.
SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting https://www.drupal.org/node/2428799
Use CVE-2015-2086.
SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution https://www.drupal.org/node/2428793
Use CVE-2015-2087.
SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting https://www.drupal.org/node/2428815
Use CVE-2015-2101.
SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass https://www.drupal.org/node/2428851
Use CVE-2015-4344.
SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting https://www.drupal.org/node/2428853
Use CVE-2015-2088.
SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass https://www.drupal.org/node/2428863
Use CVE-2015-4345.
SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting https://www.drupal.org/node/2437905
Use CVE-2015-2197.
SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting https://www.drupal.org/node/2437943
Use CVE-2015-4346.
SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect https://www.drupal.org/node/2437965
Use CVE-2015-2215.
SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting https://www.drupal.org/node/2437969
Use CVE-2015-4347.
SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - SQL Injection
Use CVE-2015-4348.
SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Cross Site Request Forgery https://www.drupal.org/node/2437973
Use CVE-2015-4349.
SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery https://www.drupal.org/node/2437977
Use CVE-2015-4350.
SA-CONTRIB-2015-059 - Spider Video Player - Arbitrary file deletion
Use CVE-2015-4351.
SA-CONTRIB-2015-059 - Spider Video Player - Cross Site Request Forgery https://www.drupal.org/node/2437981
Use CVE-2015-4352.
SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery https://www.drupal.org/node/2437985
Use CVE-2015-4353.
SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting https://www.drupal.org/node/2437991
Use CVE-2015-4354.
SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery https://www.drupal.org/node/2437993
Use CVE-2015-4355.
SA-CONTRIB-2015-063 has already been requested in http://www.openwall.com/lists/oss-security/2015/03/22/35 SA-CONTRIB-2015-063 - Webform - XSS related to Webform Submissions
Use CVE-2015-4356.
SA-CONTRIB-2015-063 - Webform - XSS related to Blocks https://www.drupal.org/node/2445935
Use CVE-2015-4357.
SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting https://www.drupal.org/node/2445953
Use CVE-2015-4358.
SA-CONTRIB-2015-065 - Registration codes - Cross Site Scripting
Use CVE-2015-4359.
SA-CONTRIB-2015-065 - Registration codes - Cross Site Request Forgery https://www.drupal.org/node/2445955
Use CVE-2015-4360. We also noticed this comment:
https://www.drupal.org/node/2446157#comment-9717643 I found another CSRF in the regcode_og sub module.
We believe that the CSRF vulnerability in the regcode_og sub module reported in Comment #11 was originally discovered by Pere Orga and reported in SA-CONTRIB-2015-065. It this is not the case, then MITRE will assign a new CVE ID to the vulnerability.
https://www.drupal.org/node/2446157#comment-9699601 some CSRF fixes that allowed anyone to trick administrators to delete ... the registration codes (6.x-1.x only).
Use CVE-2015-4361.
SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery https://www.drupal.org/node/2445961
Use CVE-2015-4362.
SA-CONTRIB-2015-067 - Finder - Open Redirect https://www.drupal.org/node/2445967
Use CVE-2015-4363.
SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery https://www.drupal.org/node/2445971
Use CVE-2015-4364. The scope of CVE-2015-4364 is limited to only the enable and disable list subscription vectors. Any other vulnerabilities reported in https://www.drupal.org/node/2449747 would need separate CVE IDs.
SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting https://www.drupal.org/node/2445973
Use CVE-2015-4365.
SA-CONTRIB-2015-070 - Mover - Cross Site Scripting https://www.drupal.org/node/2445977
Use CVE-2015-4366.
SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting https://www.drupal.org/node/2446019
Use CVE-2015-4367.
SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass https://www.drupal.org/node/2446051
Use CVE-2015-4368.
SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting https://www.drupal.org/node/2446065
Use CVE-2015-4369.
SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting https://www.drupal.org/node/2450387
Use CVE-2015-4370.
SA-CONTRIB-2015-075 - Perfecto - Open Redirect https://www.drupal.org/node/2450391
Use CVE-2015-4371.
SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting https://www.drupal.org/node/2450393
Use CVE-2015-4372.
SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting https://www.drupal.org/node/2450427
Use CVE-2015-4373.
SA-CONTRIB-2015-078 has already been requested in http://www.openwall.com/lists/oss-security/2015/03/22/35 SA-CONTRIB-2015-078 - Webform - XSS related to Webform Components https://www.drupal.org/node/2454903
Use CVE-2015-4374.
SA-CONTRIB-2015-079 has already been requested in http://www.openwall.com/lists/oss-security/2015/03/22/35 SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Access bypass
Use CVE-2015-4375.
SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Open redirect https://www.drupal.org/node/2454909
Use CVE-2015-4398.
SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting https://www.drupal.org/node/2455011
Use CVE-2015-4376.
SA-CONTRIB-2015-081 - Petition - Cross Site Scripting https://www.drupal.org/node/2459311
Use CVE-2015-4377.
SA-CONTRIB-2015-082 - Crumbs - Cross Site Scripting https://www.drupal.org/node/2459315
Use CVE-2015-4378.
SA-CONTRIB-2015-083 - Webform Multiple File Upload - Cross Site Request Forgery https://www.drupal.org/node/2459323
Use CVE-2015-4379.
SA-CONTRIB-2015-084 - Linear Case - Cross Site Scripting https://www.drupal.org/node/2459327
Use CVE-2015-4380.
SA-CONTRIB-2015-085 - Invoice - Cross Site Scripting
Use CVE-2015-4381.
SA-CONTRIB-2015-085 - Invoice - Cross Site Request Forgery https://www.drupal.org/node/2459337
Use CVE-2015-4382.
SA-CONTRIB-2015-086 - Decisions - Cross Site Request Forgery https://www.drupal.org/node/2459349
Use CVE-2015-4383.
SA-CONTRIB-2015-087 - Ubercart Webform Checkout Pane - Cross Site Scripting https://www.drupal.org/node/2459359
Use CVE-2015-4384.
SA-CONTRIB-2015-088 - Imagefield Info - Cross Site Scripting https://www.drupal.org/node/2463823
Use CVE-2015-4385.
SA-CONTRIB-2015-089 - EntityBulkDelete - Cross Site Scripting https://www.drupal.org/node/2463831
Use CVE-2015-4386.
SA-CONTRIB-2015-090 - Password Policy - Cross Site Scripting https://www.drupal.org/node/2463835
Use CVE-2015-4387.
SA-CONTRIB-2015-091 - Current Search Links - Cross Site Scripting https://www.drupal.org/node/2463843
Use CVE-2015-4388.
SA-CONTRIB-2015-092 - Open Graph Importer - Access bypass https://www.drupal.org/node/2463891
Use CVE-2015-4389.
SA-CONTRIB-2015-093 - User Import - Cross Site Request Forgery https://www.drupal.org/node/2463949
Use CVE-2015-4390.
SA-CONTRIB-2015-094 - CiviCRM private report - Cross Site Request Forgery https://www.drupal.org/node/2467697
Use CVE-2015-4391.
SA-CONTRIB-2015-095 - Display Suite - Cross Site Scripting https://www.drupal.org/node/2471733
Use CVE-2015-4392.
SA-CONTRIB-2015-096 - Services - Access bypass (file upload and execution)
Use CVE-2015-4393.
SA-CONTRIB-2015-096 - Services - Information Disclosure https://www.drupal.org/node/2471879
Use CVE-2015-4394.
SA-CONTRIB-2015-097 - HybridAuth Social Login - Information Disclosure https://www.drupal.org/node/2475943
Use CVE-2015-4395.
SA-CONTRIB-2015-098 - Keyword Research - Cross Site Request Forgery https://www.drupal.org/node/2475953
Use CVE-2015-4396.
SA-CONTRIB-2015-099 - Node Template - Cross Site Scripting https://www.drupal.org/node/2475955
Use CVE-2015-4397. --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099) Pere Orga (Apr 25)
- Re: CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-034 to SA-CONTRIB-2015-099) cve-assign (Jun 11)