oss-sec mailing list archives
SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 22 Nov 2013 13:09:04 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://drupal.org/SA-CORE-2013-003 SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation Please use CVE-2013-6385 for this issue. Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7) Please use CVE-2013-6386 for this issue. Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7) Treating as security hardening Access bypass (Security token validation - Drupal 6 and 7) Treating as security hardening Cross-site scripting (Image module - Drupal 7) Please use CVE-2013-6387 for this issue. Cross-site scripting (Color module - Drupal 7) Please use CVE-2013-6388 for this issue. Open redirect (Overlay module - Drupal 7) Please use CVE-2013-6389 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSj7nfAAoJEBYNRVNeJnmTQA8P+QEFJ5zwMuWRSELGUCnTQ0Tu ja1pMMKI/USbUvbX+YBgy/PoEcJNbam5lOwl5COUpxTgh3kZ/WQuHeQEFqEyJZ1W SausFeO8Om1eza4xZHf7UHpbgVpKCDkM3AI1PAXc8/ofMY+dfUY7+xzcea2dRFUQ MaClVJraYl4Ifa1TrdM/mdNDqWVuyulpXBlZLp3zrs9nwINjl1C6MjWL7W/4cRI8 rCdVZOlF1CqR5PF0Y3Qw2uLhoQsBdEIcLIL0W8H+mTLAoGsdze4b6dVwZM7i+nE4 TQL+f7l+cBcKlBLzQJFc5fKZ29pprkXlpUdfVHQxjp7CH+sQA0waQFn6fcQn5GJR yebhrFJHv6LrTaTjr8S6YxVVyC6cWTENkhSxYDbqrk4Jg+MXedh84MqKyutuo5AP nxhDvPtpT/RjuyRckQoKxMur6Zs3LlGetrKOvOza1bnHhG8Yq78HQcup1rom0Qz9 hbFK6sQkVFTfoJdM/X17FM7B/WfLqjLUZY3nXpQqbIvrgKg7945/KT403iDLDTZu LGF2zvEhDT53HZDMK/bXglKr7X3Cg0tip71Trw5g4Zc3ZY3zdNf2SS+Onz22HXlj dzkb95tSE6KrVmFELnFok83Zs7EvJYrKwfVTDIo8u4kFrDFAvO+zTwEBmrQ4NVq6 JvALQ9kTlBBcccAkF+Ts =26oq -----END PGP SIGNATURE-----
Current thread:
- SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities Kurt Seifried (Nov 22)