[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CY1PR09MB0268A5BD57B6E9C86F156287CC380@CY1PR09MB0268.namprd09.prod.outlook.com>
Date: Wed, 21 Oct 2015 11:50:44 +0000
From: "Evans, Jonathan L." <jevans@...re.org>
To: "pere@...a.cat" <pere@...a.cat>
CC: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
Drupal Security Team <security@...pal.org>, CVE ID Requests
<cve-assign@...re.org>
Subject: Re: CVE Requests for Drupal contributed modules (from
SA-CONTRIB-2015-132 to SA-CONTRIB-2015-156)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE IDs were assigned by MITRE to most of the vulnerabilities in
SA-CONTRIB-2015-132 through SA-CONTRIB-2015-151 before this request was made.
To help avoid duplicates, we request that you check the existing IDs before
asking for a new one.
> SA-CONTRIB-2015-132 - Administration Views - Information Disclosure
> https://www.drupal.org/node/2529378
Use CVE-2015-7226.
> SA-CONTRIB-2015-133 - Path Breadcrumbs - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2533926
Use CVE-2015-6754.
> SA-CONTRIB-2015-134 - OSF for Drupal - Cross Site Scripting
Use CVE-2015-7232.
> SA-CONTRIB-2015-134 - OSF for Drupal - Cross Site Request Forgery
Use CVE-2015-7233.
> SA-CONTRIB-2015-134 - OSF for Drupal - Access bypass
> https://www.drupal.org/node/2537860
Use CVE-2015-7234.
> SA-CONTRIB-2015-135 - Time Tracker - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2537866
Use CVE-2015-6751.
> SA-CONTRIB-2015-136 - Commerce Commonwealth (CBA) - Insufficient
> Verification of API Data
> https://www.drupal.org/node/2542380
Use CVE-2015-7231.
> SA-CONTRIB-2015-137 - Quick Edit - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2546164
Use CVE-2015-6753.
> SA-CONTRIB-2015-138 - Compass Rose - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2546174
The advisory is not clear whether the vulnerability is in the unnamed Javascript
library or the Compass Rose module. If the former, we need to know the name of
the library to ensure we do not issue a duplicate ID.
> SA-CONTRIB-2015-139 - Workbench Email - Access bypass
> https://www.drupal.org/node/2553971
Use CVE-2015-7230.
> SA-CONTRIB-2015-140 - Search API Autocomplete - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2553977
Use CVE-2015-6752.
> SA-CONTRIB-2015-141 - Ctools - Cross Site Scripting (XSS)
Use CVE-2015-6665. This vulnerability was merged with Ajax system XSS
vulnerability in SA-CORE-2015-003.
> SA-CONTRIB-2015-141 - Ctools - Access bypass
> https://www.drupal.org/node/2554145
Use CVE-2015-7875.
> SA-CONTRIB-2015-142 - Spotlight - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2561375
Use CVE-2015-6808.
> SA-CONTRIB-2015-143 - Zendesk Feedback Tab - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2561893
Use CVE-2015-6921.
> SA-CONTRIB-2015-144 - Mass Contact - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2561951
Use CVE-2015-6807.
> SA-CONTRIB-2015-145 - Fieldable Panels Panes - Access bypass
> https://www.drupal.org/node/2561971
Use CVE-2015-7227.
> SA-CONTRIB-2015-146 - Twitter - Access bypass
> https://www.drupal.org/node/2565827
Use CVE-2015-7229.
> SA-CONTRIB-2015-147 - RESTful - Access bypass
> https://www.drupal.org/node/2565875
Use CVE-2015-7228.
> SA-CONTRIB-2015-148 - Drupal 7 driver for SQL Server and SQL Azure -
> SQL Injection
> https://www.drupal.org/node/2569577
Use CVE-2015-7876.
> SA-CONTRIB-2015-149 - amoCRM - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2569587
Use CVE-2015-7304.
> SA-CONTRIB-2015-150 - CMS Updater - Access bypass
Use CVE-2015-7306.
> SA-CONTRIB-2015-150 - CMS Updater - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2569599
Use CVE-2015-7307.
> SA-CONTRIB-2015-151 - Scald - Information Disclosure
> https://www.drupal.org/node/2569631
Use CVE-2015-7305.
> SA-CONTRIB-2015-152 - User Dashboard - SQL Injection
> https://www.drupal.org/node/2577901
Use CVE-2015-7877.
> SA-CONTRIB-2015-153 - Taxonomy Find - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2577903
Use CVE-2015-7878.
> SA-CONTRIB-2015-154 - Stickynote - Cross Site Scripting (XSS)
> https://www.drupal.org/node/2581997
Use CVE-2015-7879.
> SA-CONTRIB-2015-155 - Entity Registration - Information Disclosure
> https://www.drupal.org/node/2582015
Use CVE-2015-7880.
> SA-CONTRIB-2015-156 - Colorbox - Access bypass
> https://www.drupal.org/node/2582071
Use CVE-2015-7881.
- - --
CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWJ3sIAAoJEL54rhJi8gl5FjUP/RldLArN7ZS5yPa8AwsW7WPl
wni0Rfpn/dFgbozBRiYzuYngg0lgBwkG5DdTXp5Q8kOAxVaniFMoOBrGh00QC5fg
9NxagOE1EJaNX8HdHBZzEHXpG1bD/Vb9SyrBAXiuOx23TXGqbOg3Lpht1r9GNL64
jWP1mLeqkNuxQtv8OGklfJP+fBCxTtExeGzdKZKpWDB9Ns5hVZtFLvD2CEyiIDOF
Rc+C8Db1CYqjfDW2aiIR1CUfdNMTjH44zXJ8Bi0ua/cKRtI9jrn/u1wlZmvpuyY/
ue1vpmWc8KL6JcPLEoXfH41iCAOqZI0nVoEeUAPaxkl6B2bWT+kvmkFJTru5Zh4/
AhAnnNGjfji8hJLCnxzy7fddI319DD9W7HeXNG7NpqPL7nQpKt5C5x03GXtD9mlF
Mjq6CnN3cOxz/mW2dDtPI0Pwwxa247oWUx3DBQaio2GqtmyLNgmdN1OlHndF2HOp
0kUzuWHPyA6GKJD8C0Qhtzo+eh0sQvBs8p3lm9wh91RGIa/3yPuRMZdymQM0Fi18
p54cyR+TpYwqPAWPhtJ84TrTA+GKWMME+THH1RoPJn9WUoYBzuRmYG7c23G5+aPH
KP14X/TBX1z3QzOTlSBA3AkwciImipBX3juExdgbW2/nVgWH2x2QfPGXGrUilFty
hgQH1fMVvGnBPlJEdkVk
=2xxh
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
