[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE requests for Drupal core (SA-CORE-2016-001)
From:       Pere Orga <pere () orga ! cat>
Date:       2016-02-24 20:35:17
Message-ID: CAMYtjArOz_yU+97VWT+E7a8u3v+ekb3Y-nZiARLc4arrgHvSew () mail ! gmail ! com
[Download RAW message or body]

Hi

Please can I have CVE IDs assigned to the following Drupal
vulnerabilities (see https://www.drupal.org/SA-CORE-2016-001):

File upload access bypass and denial of service (File module - Drupal 7 and 8)
Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7)
Open redirect via path manipulation (Base system - Drupal 6, 7 and 8)
Form API ignores access restrictions on submit buttons (Form API - Drupal 6)
HTTP header injection using line breaks (Base system - Drupal 6)
Open redirect via double-encoded 'destination' parameter (Base system
- Drupal 6)
Reflected file download vulnerability (System module - Drupal 6 and 7)
Saving user accounts can sometimes grant the user all roles (User
module - Drupal 6 and 7)
Email address can be matched to an account (User module - Drupal 7 and 8)
Session data truncation can lead to unserialization of user provided
data (Base system - Drupal 6)


And also for the FileField contributed module:

FileField - Denial of Service
https://www.drupal.org/node/2674854



Regards
-- 
Pere Orga on behalf of the Drupal Security team
[prev in list] [next in list] [prev in thread] [next in thread]