FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  351541
Date:      2014-04-18
Time:      14:56:43Z
Committer: ohauer

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
10720fe8-51e0-11e1-91c1-00215c6a37bbdrupal -- multiple vulnerabilities

Drupal development team reports:

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826

An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827

When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.


Discovery 2012-02-01
Entry 2012-02-07
drupal6
lt 6.23

drupal7
lt 7.11

CVE-2012-0825
CVE-2012-0826
CVE-2012-0827
1acf9ec5-877d-11e0-b937-001372fd0af2drupal6 -- multiple vulnerabilities

Drupal Team reports:

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin / settings / error-reporting. This is the recommended setting for production sites.

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.


Discovery 2011-05-25
Entry 2011-05-26
drupal6
lt 6.22

http://drupal.org/node/1168756
d9649816-5e0d-11e3-8d23-3c970e169bc2drupal -- multiple vulnerabilities

Drupal Security Team reports:

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)
  • Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)
  • Access bypass (Security token validation - Drupal 6 and 7)
  • Cross-site scripting (Image module - Drupal 7)
  • Cross-site scripting (Color module - Drupal 7)
  • Open redirect (Overlay module - Drupal 7)

Discovery 2013-11-20
Entry 2013-12-06
drupal6
lt 6.29

drupal7
lt 7.24

https://drupal.org/SA-CORE-2013-003
10720fe8-51e0-11e1-91c1-00215c6a37bbdrupal -- multiple vulnerabilities

Drupal development team reports:

Cross Site Request Forgery vulnerability in Aggregator module

CVE: CVE-2012-0826

An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.

This issue affects Drupal 6.x and 7.x.

OpenID not verifying signed attributes in SREG and AX

CVE: CVE-2012-0825

A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users' information.

This issue affects Drupal 6.x and 7.x.

Access bypass in File module

CVE: CVE-2012-0827

When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.

This issue affects Drupal 7.x only.


Discovery 2012-02-01
Entry 2012-02-07
drupal6
lt 6.23

drupal7
lt 7.11

CVE-2012-0825
CVE-2012-0826
CVE-2012-0827
1acf9ec5-877d-11e0-b937-001372fd0af2drupal6 -- multiple vulnerabilities

Drupal Team reports:

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin / settings / error-reporting. This is the recommended setting for production sites.

When using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission.


Discovery 2011-05-25
Entry 2011-05-26
drupal6
lt 6.22

http://drupal.org/node/1168756
1827f213-633e-11e2-8d93-c8600054b392drupal -- multiple vulnerabilities

Drupal Security Team reports:

Cross-site scripting (Various core and contributed modules)

Access bypass (Book module printer friendly version)

Access bypass (Image module)


Discovery 2013-01-16
Entry 2013-01-20
drupal6
lt 6.28

drupal7
lt 7.19

https://drupal.org/SA-CORE-2013-001