CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.7%
CVE: CVE-2012-2056
Content Lock Is a module that prevents users from concurrent editing of nodes. This module does not use a token for unlocking a content lock. This leads to a CSRF attack vector.
CVE: CVE-2012-2057
Ubercart Bulk Stock Updater is an extension module for Ubercart 2.x running on Drupal 6.x which makes it easy to bulk-edit product stock levels. This module does not properly use the formAPI and this results in a CSRF attack vector.
CVE: CVE-2012-2058
Ubercart Payflow Link is a payment solution for ubercart provided by PayPal. This module does not use a secure token and thus could allow payments to be forged.
CVE: CVE-2012-2059
ticketyboo News Tickeris a module that lets you configure three separate news tickers as Drupal Blocks. This module does not filter output correctly leading to a XSS attack vector. It may also have a SQL injection vector.
Admin tools XSS issue is
CVE: CVE-2012-2060
Admin tools CSRF issue is
CVE: CVE-2012-2061
Admin tools This package will contain a complete set of tools for managing several drupal installs. This module does not properly filter text leading to a XSS attack vector, as well as not checking tokens leading to a CSRF attack vector.
CVE: CVE-2012-2062
Redirecting click bouncer, is a module that lets you create links to a target that simply redirects to the real destination. The redirect happens server-side which means that we can track the redirects. This comes handy when we have links in our site and we need to know when they are clicked. This module does not check the URL to redirect to, this create an open redirect.
Drupal core is not affected. If you do not use one of the contributed modules listed above, there is nothing you need to do.
Users of these modules are encouraged to disable the modules and search for similar alternatives. Users of the module who wish to take over maintainership should post patches to the issue queue to fix the security issues and request maintenance following the Unsupported project process.
No fixes created.
drupal.org/contact
drupal.org/node/251466
drupal.org/project/admintools
drupal.org/project/bouncer
drupal.org/project/content_lock
drupal.org/project/ticketyboo
drupal.org/project/uc_bulk_stock_updater
drupal.org/project/uc_payflowlink
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/102818
drupal.org/user/214652
drupal.org/user/35896
drupal.org/user/383424
drupal.org/user/55050
drupal.org/user/96647
drupal.org/writing-secure-code