'Re: [oss-security] CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2013-03-25 10:02:21
Message-ID: 608296419.13968118.1364205741063.JavaMail.root () redhat ! com
[Download RAW message or body]

Hi Kurt,

  thanks for assigning the CVE id. To follow-up
on the doubt below yet.

----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/22/2013 07:23 AM, Jan Lieskovsky wrote:
>> Hello Kurt, Steve, Drupal Security Team, vendors,
>> 
>> Drupal upstream has released: [1] http://drupal.org/node/1948358
>
> CVE-2013-1887
>
>> and updated version of the Views module (Views 7.x-3.6): [2]
>> http://drupal.org/node/1948354
>> 
>> correcting one cross-site scripting (XSS) flaw.
>
> The security issue in views is caused by various places in the views
> UI where a string is not sanitized,
> because it has been assumed to be static and by commiters, though you
> can change some of these strings using other administrative
> permissions. SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
> 
> I'm a bit confused, is this via SA-CONTRIB-2013-035 or a separate
> issue as well?

Those are the same issues (it's possible to get from SA-CONTRIB-2013-035
link to the http://drupal.org/node/1948354 link [just click in at
Views 7.x-3.6 in SA-CONTRIB-2013-035]).

In yet other words, looks like CVE-2013-1887 (previously) occurred at
various places. Relevant upstream patch seems to be this one:
  http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>> AFAICT from [1], there doesn't seem to be a CVE identifier for this
>> issue yet.
>> 
>> Could you allocate one?

> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJRTMJrAAoJEBYNRVNeJnmTjIUP/0rn+yNqLpAPVoZJOKKjzC/O
> AComiUFEBzLPxWbJGPS8aEY738ABh3G557U3QH0xab0WKHsq4y7pOb8i2iGmUTOM
> 9t62qmZssTf80omcPZ0rKMo+dZXIXrwNsQbqB/yApuVixfbbUPKf4vF8PQVraijm
> NaBt/Gjl7G7bpHW5ZqellBNO7eHEUqAt2FQZp+UcWfR7NFASef+8BR6plrco/Sjn
> c75GySKWia99lm7qt65Q8ddT2P9ECQIoDileWzWyrWhqHpsTilWGTe+xyF5fzob4
> Zz6Z/EE0VP/ZIbfLaNip2+8Oa665T1B2tgLuUDV3jrRu11lnB3vcNfAErWdwSULM
> sy98z8NujPPmPhXa2F1jIqZN9adPHjYuvOOEYOdZL+yiA698XxRQKmHkHom4cB4Y
> FpXk/F+YrTE+Qn0XayJZriEUIzVe8z1LWC8lQDA8xWmCEptu81fIVd97A6Tk2MrV
> 4Z2pNuJ1Z3EGkZBuFNbf1FZ6M8KTbwE8qz0gEia0GpmNDegecUWewxtlxqRM4xLD
> CVfpYWN3EsS2u2M7Maw2kdHWuWjxaS69xLncVKaDB5oEFrpU61PIhLoglneDdZxH
> BgANfSjucbxvfeOWapjk0GPd9cNKQ5jtKMRZb/x6JtkLBjX+GZTMlDvI82A0BN76
> JOYCC9mTQ1uRfCHsITzV
> =gTiE
> -----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic