FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  318453
Date:      2013-05-18
Time:      20:35:07Z
Committer: rakuco

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
10720fe8-51e0-11e1-91c1-00215c6a37bbdrupal -- multiple vulnerabilities

Drupal development team reports:

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826

An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827

When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.


Discovery 2012-02-01
Entry 2012-02-07
drupal6
lt 6.23

drupal7
lt 7.11

CVE-2012-0825
CVE-2012-0826
CVE-2012-0827
10720fe8-51e0-11e1-91c1-00215c6a37bbdrupal -- multiple vulnerabilities

Drupal development team reports:

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826

An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827

When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.


Discovery 2012-02-01
Entry 2012-02-07
drupal6
lt 6.23

drupal7
lt 7.11

CVE-2012-0825
CVE-2012-0826
CVE-2012-0827
1827f213-633e-11e2-8d93-c8600054b392drupal -- multiple vulnerabilities

Drupal Security Team reports:

Cross-site scripting (Various core and contributed modules)

Access bypass (Book module printer friendly version)

Access bypass (Image module)


Discovery 2013-01-16
Entry 2013-01-20
drupal6
lt 6.28

drupal7
lt 7.19

https://drupal.org/SA-CORE-2013-001
2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5drupal7 -- multiple vulnerabilities

Drupal Security Team reports:

  1. Arbitrary PHP code execution

    A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

  2. Information disclosure - OpenID module

    For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.


Discovery 2012-10-17
Entry 2012-10-31
drupal7
lt 7.16

http://drupal.org/node/1815912
a4d71e4c-7bf4-11e2-84cd-d43d7e0c7c02drupal7 -- Denial of service

Drupal Security Team reports:

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.


Discovery 2013-02-20
Entry 2013-02-21
drupal7
lt 7.19

CVE-2013-0316
https://drupal.org/SA-CORE-2013-002