From c3e1cd4817dc87bd9f280f03c4d3e02ad2957f41 Mon Sep 17 00:00:00 2001 From: delphij Date: Tue, 7 Feb 2012 23:11:21 +0000 Subject: Document Drupal core multiple vulnerabilities. --- security/vuxml/vuln.xml | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index d0b15cefe2b4..a420b5984749 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -47,6 +47,58 @@ Note: Please add new entries to the beginning of this file. --> + + drupal -- multiple vulnerabilities + + + drupal6 + 6.23 + + + drupal7 + 7.11 + + + + +

Drupal development team reports:

+
Cross Site Request Forgery vulnerability in Aggregator + module
+
CVE: CVE-2012-0826
+
An XSRF vulnerability can force an aggregator feed to + update. Since some services are rate-limited (e.g. + Twitter limits requests to 150 per hour) this could + lead to a denial of service.
+
This issue affects Drupal 6.x and 7.x.
+
OpenID not verifying signed attributes in SREG and AX
+
CVE: CVE-2012-0825
+
A group of security researchers identified a flaw in how + some OpenID relying parties implement Attribute Exchange (AX). + Not verifying that attributes being passed through AX have been + signed could allow an attacker to modify users' information.
+
This issue affects Drupal 6.x and 7.x.
+
Access bypass in File module
+
CVE: CVE-2012-0827
+
When using private files in combination with certain field + access modules, the File module will allow users to download + the file even if they do not have access to view the field + it was attached to.
+
This issue affects Drupal 7.x only.
+

+ + + + CVE-2012-0825 + CVE-2012-0826 + CVE-2012-0827 + + + 2012-02-01 + 2012-02-07 + + + bugzilla -- multiple vulnerabilities -- cgit