oss-sec mailing list archives
CVE requests for Drupal core (SA-CORE-2016-001)
From: Pere Orga <pere () orga cat>
Date: Wed, 24 Feb 2016 21:35:17 +0100
Hi Please can I have CVE IDs assigned to the following Drupal vulnerabilities (see https://www.drupal.org/SA-CORE-2016-001): File upload access bypass and denial of service (File module - Drupal 7 and 8) Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7) Open redirect via path manipulation (Base system - Drupal 6, 7 and 8) Form API ignores access restrictions on submit buttons (Form API - Drupal 6) HTTP header injection using line breaks (Base system - Drupal 6) Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6) Reflected file download vulnerability (System module - Drupal 6 and 7) Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7) Email address can be matched to an account (User module - Drupal 7 and 8) Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6) And also for the FileField contributed module: FileField - Denial of Service https://www.drupal.org/node/2674854 Regards -- Pere Orga on behalf of the Drupal Security team
Current thread:
- CVE requests for Drupal core (SA-CORE-2016-001) Pere Orga (Feb 24)
- Re: CVE requests for Drupal core (SA-CORE-2016-001) cve-assign (Mar 15)