oss-sec mailing list archives
Re: CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)
From: cve-assign () mitre org
Date: Tue, 18 Aug 2015 12:30:14 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Camtasia Relay - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100 https://www.drupal.org/node/2480241
Use CVE-2015-5487.
MailChimp - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101 https://www.drupal.org/node/2480253
Use CVE-2015-5488.
Smart Trim - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102 https://www.drupal.org/node/2480321
Use CVE-2015-5489.
Views - Access Bypass - SA-CONTRIB-2015-103 https://www.drupal.org/node/2480327
Use CVE-2015-5490.
Dynamic display block - Access bypass - SA-CONTRIB-2015-104 https://www.drupal.org/node/2484157
Use CVE-2015-5491.
Video Consultation - Cross Site Scripting (XSS) - SA-CONTRIB-2015-105 https://www.drupal.org/node/2484195
Use CVE-2015-5492.
Entityform Block - Access Bypass - SA-CONTRIB-2015-106 https://www.drupal.org/node/2484169
Use CVE-2015-5493.
Webform Matrix Component - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107 https://www.drupal.org/node/2484231
Use CVE-2015-5494.
Mobile sliding menu - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108 https://www.drupal.org/node/2484233
Use CVE-2015-5495.
pass2pdf - Information Disclosure - SA-CONTRIB-2015-109 https://www.drupal.org/node/2492205
Use CVE-2015-5496.
Web Links - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110 https://www.drupal.org/node/2492209
Use CVE-2015-5497.
Shipwire - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111 https://www.drupal.org/node/2492243
Use CVE-2015-5498.
Navigate - Access Bypass - SA-CONTRIB-2015-112
Use CVE-2015-5499.
Navigate - Cross-site scripting - SA-CONTRIB-2015-112 https://www.drupal.org/node/2492245
Use CVE-2015-5500.
Aegir - Code Execution Prevention - SA-CONTRIB-2015-113 https://www.drupal.org/node/2492317
Use CVE-2015-5501.
Storage API - Access Bypass - SA-CONTRIB-2015-114 https://www.drupal.org/node/2495903
Use CVE-2015-5502.
Chamilo integration - Open Redirect - SA-CONTRIB-2015-115 https://www.drupal.org/node/2495931
Use CVE-2015-5503.
Novalnet Payment Module Ubercart - SQL Injection - SA-CONTRIB-2015-116 https://www.drupal.org/node/2499787
The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability.
Use CVE-2015-5504.
Since the affected path is not protected against CSRF, a malicious user can exploit this vulnerability by triggering a request to a specially-crafted URL.
It is not clear to us if this CSRF issue is exploitable. The attack seems to be against a Novalnet employee, but it is not known if Novalnet employees have access to the specific IP in a way that would make the exploit feasible.
Novalnet Payment Module Drupal Commerce - SQL Injection - SA-CONTRIB-2015-117 https://www.drupal.org/node/2499791
We believe that the Novalnet Payment Module Drupal Commerce module may share a codebase with the Novalnet Payment Module Ubercart module in SA-CONTRIB-2015-116. If you can confirm that the vulnerable code in SA-CONTRIB-2015-117 is different from the code in SA-CONTRIB-2015-116, then we will issue a separate CVE ID. Otherwise, use CVE-2015-5504 for this vulnerability.
HTTP Strict Transport Security - Logical Error - SA-CONTRIB-2015-118 https://www.drupal.org/node/2507563
Use CVE-2015-5505.
Apache Solr Real-Time - Access Bypass - SA-CONTRIB-2015-119 https://www.drupal.org/node/2507581
Use CVE-2015-5506.
Inline Entity Form - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120 https://www.drupal.org/node/2507605
Use CVE-2015-5507.
The eXtensible Catalog (XC) Drupal Toolkit - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-121 https://www.drupal.org/node/2507619
Use CVE-2015-5508.
Administration Views - Access Bypass - SA-CONTRIB-2015-122 https://www.drupal.org/node/250764
Use CVE-2015-5509.
jQuery Update - Open Redirect - SA-CONTRIB-2015-123 https://www.drupal.org/node/2507729 LABjs - Open Redirect - SA-CONTRIB-2015-124 https://www.drupal.org/node/2507735 Acquia Cloud Site Factory Connector - Open Redirect - SA-CONTRIB-2015-125 https://www.drupal.org/node/2507741
A new CVE might not be necessary. We believe that SA-CONTRIB-2015-123, SA-CONTRIB-2015-124, and SA-CONTRIB-2015-125 share the same codebase (Overlay JavaScript file) as the Overlay module in SA-CORE-2015-002, which has been issued CVE-2015-3233.
Content Construction Kit (CCK) - Open Redirect - SA-CONTRIB-2015-126 https://www.drupal.org/node/2507753
Use CVE-2015-5510.
HybridAuth Social Login - Access bypass - SA-CONTRIB-2015-127 https://www.drupal.org/node/2511410
Use CVE-2015-5511.
me aliases - Access Bypass - SA-CONTRIB-2015-128 https://www.drupal.org/node/2511424
Use CVE-2015-5512.
Shibboleth authentication - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129 https://www.drupal.org/node/2511518
Use CVE-2015-5513.
Migrate - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130 https://www.drupal.org/node/2516678
Use CVE-2015-5514.
Views Bulk Operations - Access Bypass - SA-CONTRIB-2015-131 https://www.drupal.org/node/2516688
Use CVE-2015-5515. - --- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVdNcpKllVAevmvmsAQJK2Af9EPXhYRtkAtE4Pmm/YiRLnv4ogjkylGZ6 BRaLS6xZ++A6XpzsUrmUuH8iTisC6KqW8s2JV2NyFTc4snLvIYv3lvBkZTpVP5f7 sB7njM4e97tbCScCwy2ZwzEf6kzKEVEOBIM3WBY0u+D4i5/afcTyI5x+S3jkEZfZ Jksyfq70H7WZgBQNO23pitYl3YstJ+1tY8iKkSsDnSFHXNKvAJ0CsXRF7Ow5g11G sanB8viFt9ASOrUoqkOQvTEPY8iwzNGRQoOMhOI9TETvlSLb0tausNdAcHkDEeYA u27FNVQLs11FZ7XAulU3NxxuivFtG3jHEjrkgpGCtULhhlPaDxsuEw== =L9ro -----END PGP SIGNATURE-----
Current thread:
- CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131) Pere Orga (Jul 04)
- Re: CVE requests for Drupal contributed modules (from SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131) cve-assign (Aug 18)