oss-sec mailing list archives

CVE requests for Drupal core (SA-CORE-2016-001)

From: Pere Orga <pere () orga cat>
Date: Wed, 24 Feb 2016 21:35:17 +0100

Hi

Please can I have CVE IDs assigned to the following Drupal
vulnerabilities (see https://www.drupal.org/SA-CORE-2016-001):

File upload access bypass and denial of service (File module - Drupal 7 and 8)
Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7)
Open redirect via path manipulation (Base system - Drupal 6, 7 and 8)
Form API ignores access restrictions on submit buttons (Form API - Drupal 6)
HTTP header injection using line breaks (Base system - Drupal 6)
Open redirect via double-encoded 'destination' parameter (Base system
- Drupal 6)
Reflected file download vulnerability (System module - Drupal 6 and 7)
Saving user accounts can sometimes grant the user all roles (User
module - Drupal 6 and 7)
Email address can be matched to an account (User module - Drupal 7 and 8)
Session data truncation can lead to unserialization of user provided
data (Base system - Drupal 6)


And also for the FileField contributed module:

FileField - Denial of Service
https://www.drupal.org/node/2674854



Regards
-- 
Pere Orga on behalf of the Drupal Security team

Current thread:

CVE requests for Drupal core (SA-CORE-2016-001) Pere Orga (Feb 24)
- Re: CVE requests for Drupal core (SA-CORE-2016-001) cve-assign (Mar 15)