Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F7FD390.7070801@redhat.com>
Date: Fri, 06 Apr 2012 23:41:36 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

So I went through all the Drupal contrib modules for 2012, 4 already
have CVE's, 3 are not security issues/not clear ("may also have an sql
injection" isn't quite enough). The data is below in CSV format and
attached as a file since the line wraps are mangling it up. Data is in
the form:

"CVE(or note)",SA#","description","URL"

=====================

"CVE-2012-1623","SA-CONTRIB-2012-001","Registration Codes - Access
bypass","https://drupal.org/node/1394172"
"CVE-2012-1624","SA-CONTRIB-2012-002","Lingotek - Cross Site
Scripting","https://drupal.org/node/1394220"
"CVE-2012-1625","SA-CONTRIB-2012-003","Fill PDF - Multiple
vulnerabilities","https://drupal.org/node/1394428"
"CVE-2012-1626","SA-CONTRIB-2012-004","Date - SQL
injection","https://drupal.org/node/1401434"
"CVE-2012-1627","SA-CONTRIB-2012-005","Vote up/down - Cross Site
Scripting","https://drupal.org/node/1401580"
"CVE-2012-1628","SA-CONTRIB-2012-006","SuperCron –
XSS","https://drupal.org/node/1401644"
"CVE-2012-1629","SA-CONTRIB-2012-006","Taxotouch –
XSS","https://drupal.org/node/1401644"
"CVE-2012-1630","SA-CONTRIB-2012-006","Taxonomy Navigator –
XSS","https://drupal.org/node/1401644"
"CVE-2012-1631","SA-CONTRIB-2012-006","Admin:hover –
CSRF","https://drupal.org/node/1401644"
"CVE-2012-1632","SA-CONTRIB-2012-007","Password Policy –
XSS","https://drupal.org/node/1401678"
"CVE-2012-1633","SA-CONTRIB-2012-007","Password Policy –
CSRF","https://drupal.org/node/1401678"
"CVE-2012-1634","SA-CONTRIB-2012-008","Video Filter - Cross Site
Scripting","https://drupal.org/node/1401838"
"CVE-2012-1635","SA-CONTRIB-2012-009","Revisioning - Access
bypass","https://drupal.org/node/1409268"
"CVE-2012-1636","SA-CONTRIB-2012-010","stickynote - Multiple
vulnerabilities","https://drupal.org/node/1409422"
"ALREADY CVE-2012-0914","SA-CONTRIB-2012-011","Panels - Cross Site
Scripting (XSS)","https://drupal.org/node/1409436"
"CVE-2012-1637","SA-CONTRIB-2012-012","Quicktabs - Cross Site Scripting
(XSS)","https://drupal.org/node/1409476"
"CVE-2012-1638","SA-CONTRIB-2012-013","Search Autocomplete - SQL
Injection","https://drupal.org/node/1416612"
"CVE-2012-1639","SA-CONTRIB-2012-014","Drupal Commerce - Cross Site
Scripting (XSS)","https://drupal.org/node/1416824"
"CVE-2012-1640","SA-CONTRIB-2012-015","Managesite - Cross Site Scripting
(XSS)","https://drupal.org/node/1417000"
"ALREADY CVE-2012-1057","SA-CONTRIB-2012-016","Forward module
CSRF","https://drupal.org/node/1425150"
"ALREADY CVE-2012-1056","SA-CONTRIB-2012-016","Forward module Access
bypass","https://drupal.org/node/1425150"
"CVE-2012-1641","SA-CONTRIB-2012-017","Finder - Multiple
vulnerabilities","https://drupal.org/node/1432970"
"ALREADY CVE-2012-1060","SA-CONTRIB-2012-018","Revisioning - Cross Site
Scripting","https://drupal.org/node/1433550"
"CVE-2012-1642","SA-CONTRIB-2012-019","Link checker - Access
bypass","https://drupal.org/node/1441252"
"CVE-2012-1643","SA-CONTRIB-2012-020","Faster Permissions - Access
bypass","https://drupal.org/node/1441448"
"CVE-2012-1644","SA-CONTRIB-2012-021","Organic Groups Vocab Access
Bypass","https://drupal.org/node/1441450"
"CVE-2012-1645","SA-CONTRIB-2012-022","CDN - Information disclosure
","https://drupal.org/node/1441502"
"CVE-2012-1646","SA-CONTRIB-2012-023","FAQ - Cross Site
Scripting","https://drupal.org/node/1451194"
"CVE-2012-1647","SA-CONTRIB-2012-024","MediaFront - Cross Site
Scripting","https://drupal.org/node/1461424"
"CVE-2012-1648","SA-CONTRIB-2012-025","Cool aid; Editable help messages
 - XSS","https://drupal.org/node/1461438"
"CVE-2012-1649","SA-CONTRIB-2012-025","Cool aid; Editable help messages
 - access bypass","https://drupal.org/node/1461438"
"CVE-2012-1650","SA-CONTRIB-2012-026","ZipCart - Access
bypass","https://drupal.org/node/1461446"
"CVE-2012-1651","SA-CONTRIB-2012-027","Submenu Tree -Cross Site
Scripting","https://drupal.org/node/1461470"
"CVE-2012-1652","SA-CONTRIB-2012-028","Hierarchical Select - Cross Site
Scripting (XSS)","https://drupal.org/node/1461724"
"CVE-2012-1653","SA-CONTRIB-2012-029","Taxonomy Views Integrator - Cross
Site Scripting (XSS)","https://drupal.org/node/1461892"
"CVE-2012-1654","SA-CONTRIB-2012-030","Data - Cross Site Scripting
(XSS)","https://drupal.org/node/1471780"
"CVE-2012-1655","SA-CONTRIB-2012-031","UC PayDutchGroup / WeDeal payment
credential exposure","https://drupal.org/node/1471800"
"CVE-2012-1656","SA-CONTRIB-2012-031","Multisite Search SQL
Injection","https://drupal.org/node/1471800"
"CVE-2012-1657","SA-CONTRIB-2012-032 ","Block Class - Cross Site
scripting ","https://drupal.org/node/1471808"
"CVE-2012-1658","SA-CONTRIB-2012-033","Read More Link - Cross Site
Scripting","https://drupal.org/node/1471822"
"CVE-2012-1659","SA-CONTRIB-2012-034","Node Recommendation Cross Site
Scripting (XSS)","https://drupal.org/node/1471940"
"CVE-2012-1660","SA-CONTRIB-2012-035","Webform Cross Site Scripting
(XSS)","https://drupal.org/node/1472214"
"CVE-2012-2056","SA-CONTRIB-2012-036","Content Lock
CSRF","https://drupal.org/node/1482126"
"CVE-2012-2057","SA-CONTRIB-2012-036","Ubercart Bulk Stock Updater
CSRF","https://drupal.org/node/1482126"
"CVE-2012-2058","SA-CONTRIB-2012-036","Ubercart Payflow payment
forgery","https://drupal.org/node/1482126"
"CVE-2012-2059","SA-CONTRIB-2012-036","ticketyboo News Ticker
XSS","https://drupal.org/node/1482126"
"NO CVE","SA-CONTRIB-2012-036","ticketyboo “It may also have a SQL
injection vector.”","https://drupal.org/node/1482126"
"CVE-2012-2060","SA-CONTRIB-2012-036","Admin tools
XSS","https://drupal.org/node/1482126"
"CVE-2012-2061","SA-CONTRIB-2012-036","Admin tools
CSRF","https://drupal.org/node/1482126"
"CVE-2012-2062","SA-CONTRIB-2012-036","Redirecting click bouncer – open
redirect","https://drupal.org/node/1482126"
"CVE-2012-2063","SA-CONTRIB-2012-037","Slidebox - access
bypass","https://drupal.org/node/1482342"
"CVE-2012-2064","SA-CONTRIB-2012-038","Views Language Switcher Cross
Site Scripting (XSS)","https://drupal.org/node/1482420"
"CVE-2012-2065","SA-CONTRIB-2012-039","Language Icons - Cross Site
Scripting (XSS)","https://drupal.org/node/1482428"
"CVE-2012-2066","SA-CONTRIB-2012-040","CKEditor and FCKeditor - multiple
XSS","https://drupal.org/node/1482528"
"CVE-2012-2067","SA-CONTRIB-2012-040","CKEditor and FCKeditor –
arbitrary code execution","https://drupal.org/node/1482528"
"CVE-2012-2068","SA-CONTRIB-2012-041","Fancy Slide - Cross Site
Scripting (XSS)","https://drupal.org/node/1482744"
"CVE-2012-2069","SA-CONTRIB-2012-042","Wishlist Cross Site Scripting
(XSS)","https://drupal.org/node/1492624"
"CVE-2012-2070","SA-CONTRIB-2012-043","MultiBlock - Cross Site
Scripting","https://drupal.org/node/1506390"
"CVE-2012-2071","SA-CONTRIB-2012-044","Contact Forms - Cross Site
Scripting","https://drupal.org/node/1506404"
"CVE-2012-2072","SA-CONTRIB-2012-045","AddToAny - Cross Site
Scripting","https://drupal.org/node/1506412"
"CVE-2012-2073","SA-CONTRIB-2012-046","Bundle Copy - Arbitrary Code
execution","https://drupal.org/node/1506420"
"CVE-2012-2074","SA-CONTRIB-2012-047","Ubercart Views - Information
disclosure","https://drupal.org/node/1506428"
"CVE-2012-2075","SA-CONTRIB-2012-048","Contact Save - Cross Site
Scripting","https://drupal.org/node/1506438"
"CVE-2012-2076","SA-CONTRIB-2012-049","ShareThis -
XSS","https://drupal.org/node/1506448"
"CVE-2012-2077","SA-CONTRIB-2012-049","ShareThis -
CSRF","https://drupal.org/node/1506448"
"NO CVE","SA-CONTRIB-2012-050","CDN2 Video -
Unsupported","https://drupal.org/node/1506542"
"CVE-2012-2078","SA-CONTRIB-2012-051","Activity
XSS","https://drupal.org/node/1506562"
"CVE-2012-2079","SA-CONTRIB-2012-051","Activity
CSRF","https://drupal.org/node/1506562"
"CVE-2012-2080","SA-CONTRIB-2012-052","Node Limit Number - Cross Site
Request Forgery","https://drupal.org/node/1506728"
"CVE-2012-2081","SA-CONTRIB-2012-053","Organic Groups - Access
Bypass","https://drupal.org/node/1507446"
"CVE-2012-2082","SA-CONTRIB-2012-054","Chaos tool suite - Cross Site
Scripting (XSS)","https://drupal.org/node/1507466"
"CVE-2012-2083","SA-CONTRIB-2012-055","Fusion theme - Cross Site
Scripting (XSS)","https://drupal.org/node/1507510"
"NO CVE","SA-CONTRIB-2012-056","Janrain Engage - Sensitive Data
Protection Vulnerability","https://drupal.org/node/1515282"
"CVE-2012-2084","SA-CONTRIB-2012-057","Printer, email and PDF versions -
Cross Site Scripting (XSS)","https://drupal.org/node/1515722"



-- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

View attachment "CVE-Drupal-Contrib-001-057.csv" of type "text/csv" (8018 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.