970 matches found
[SECURITY] Fedora 20 Update: devscripts-2.14.10-1.fc20
Scripts to make the life of a Debian Package maintainer easier...
SA-CONTRIB-2014-096 - OAuth2 Client - Cross Site Scripting (XSS)
OAuth2 Client is an API support module, enabling other modules to connect to services using OAuth2 authentication. Within its API code the Client class exposes variables in an error message, which originate from a third party source without proper sanitisation thus leading to a Cross Site Scripti...
SA-CONTRIB-2014-090 - Speech recognition - Multiple vulnerabilities
This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. Cross Site Scripting XSS The module incorrectly prints fields without proper sanitization thereby opening a Cross Site...
SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass
The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification IPN messages. Sending a specifically crafted IPN message to an affected site allows an attacker to crea...
[SECURITY] Fedora 20 Update: abrt-2.2.1-2.fc20
abrt is a tool to help users to detect defects in applications and to create a bug report with all information needed by maintainer to fix it. It uses plugin system to extend its functionality...
SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting
The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate. The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
SA-CONTRIB-2014-029 - Mime Mail - Access Bypass
The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar...
SA-CONTRIB-2014-023 - Project Issue File Review - XSS
The Project Issue File Review PIFR module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize...
[SECURITY] Fedora 20 Update: devscripts-2.13.9-1.fc20
Scripts to make the life of a Debian Package maintainer easier...
[SECURITY] Fedora 20 Update: devscripts-2.13.5-2.fc20
Scripts to make the life of a Debian Package maintainer easier...
SA-CONTRIB-2013-065 - Organic Groups - Access Bypass
This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without...
No-IP Dynamic Update Client (DUC) 2.1.9 - Local IP Address Stack Overflow
No-IP Dynamic Update Client DUC 2.1.9 - Local IP Address Stack Overflow !/usr/bin/env python Title: No-IP Dynamic Update Client DUC 2.1.9 local IPaddress stack overflow Author: Alberto Ortega @a0rtega [email protected] Date: May 11 2013 vulnerability discovered Background: No-IP is probably the...
No-IP Dynamic Update Client 2.1.9 Stack Overflow
!/usr/bin/env python Title: No-IP Dynamic Update Client DUC 2.1.9 local IPaddress stack overflow Author: Alberto Ortega @a0rtega [email protected] Date: May 11 2013 vulnerability discovered Background: No-IP is probably the most used Dynamic DNS provider worldwide, their Dynamic Update Client D...
SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)
This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...
SA-CONTRIB-2013-019 - Ubercart Views - Cross site scripting (XSS)
Ubercart Views provides Views integration for the Ubercart shopping cart module. The "full name" field in Views is not properly sanitized on output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. CVE...
SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)
This module extends Organic Groups to allow the manager of a group to select a new manager for their group ie if they want to leave the group. The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default...
SA-CONTRIB-2012-143 PRH Search - Cross Site Scripting (XSS)
PRH Search provides an interface to search for association information for Finnish association using the PRH Patentti- ja Rekisterihallitus database. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability XSS...
DSA-2549-1 devscripts - multiple
Bulletin has no description...
CVE-2012-1580
Cross-site request forgery CSRF vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files...
CVE-2012-1578
Multiple cross-site request forgery CSRF vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests that 1 block a user via a request to the Block module or 2 unblock a user via a...