FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
b3531fe1-2b03-11df-b6db-00248c9b4be7	drupal -- multiple vulnerabilities Drupal Team reports: A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed. The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL. Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission. Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked. Discovery 2010-03-03 Entry 2010-03-08 drupal5 < 5.22 drupal6 < 6.16 http://drupal.org/node/731710
751823d4-f189-11de-9344-00248c9b4be7	drupal -- multiple cross-site scripting Drupal Team reports: The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Discovery 2009-12-16 Entry 2009-12-25 Modified 2010-05-02 drupal5 < 5.21 drupal6 < 6.15 CVE-2009-4370 http://drupal.org/node/661586

VuXML ID

Description

b3531fe1-2b03-11df-b6db-00248c9b4be7

drupal -- multiple vulnerabilities

Drupal Team reports:

A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.

The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.

Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission.

Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.

Discovery 2010-03-03
Entry 2010-03-08
drupal5

< 5.22

drupal6

< 6.16

http://drupal.org/node/731710

751823d4-f189-11de-9344-00248c9b4be7

drupal -- multiple cross-site scripting

Drupal Team reports:

The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.

Discovery 2009-12-16
Entry 2009-12-25
Modified 2010-05-02
drupal5

< 5.21

drupal6

< 6.15

CVE-2009-4370
http://drupal.org/node/661586