Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231372 - www-apps/drupal <6.3, <5.8: xss, csrf, session fixation, sql injection (CVE-2008-{3218,3219,3220,3221,3222,3223})
Summary: www-apps/drupal <6.3, <5.8: xss, csrf, session fixation, sql injection (CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://drupal.org/node/280571
Whiteboard: ~3 [noglsa]
Keywords:
: 232058 (view as bug list)
Depends on: drupal6.3
Blocks:
  Show dependency tree
 
Reported: 2008-07-10 05:54 UTC by Hanno Böck
Modified: 2008-07-22 15:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-07-10 05:54:35 UTC
See:
http://drupal.org/node/280571
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-10 14:24:07 UTC
rerating, all of these issues are B3 or B4.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-13 00:28:21 UTC
fixing whiteboard, since all versions are in ~arch

web-apps, please bump
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2008-07-14 11:33:16 UTC
new versions are in the tree. No stable version existed, so seems that we are done here...
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-14 11:48:44 UTC
thanks, closing without GLSA.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-07-17 13:57:54 UTC
*** Bug 232058 has been marked as a duplicate of this bug. ***
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-07-22 15:40:19 UTC
CVE-2008-3218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3218):
  Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3
  allow remote attackers to inject arbitrary web script or HTML via vectors
  related to (1) free tagging taxonomy terms, which are not properly handled on
  node preview pages, and (2) unspecified OpenID values.

CVE-2008-3219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3219):
  The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3
  does not "prevent use of the object HTML tag in administrator input," which
  has unknown impact and attack vectors, probably related to an insufficient
  cross-site scripting (XSS) protection mechanism.

CVE-2008-3220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3220):
  Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and
  6.x before 6.3 allows remote attackers to perform administrative actions via
  vectors involving deletion of "translated strings."

CVE-2008-3221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3221):
  Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3
  allows remote attackers to perform administrative actions via vectors
  involving deletion of OpenID identities.

CVE-2008-3222 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3222):
  Session fixation vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3,
  when contributed modules "terminate the current request during a login
  event," allows remote attackers to hijack web sessions via unknown vectors.

CVE-2008-3223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3223):
  SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows
  remote attackers to execute arbitrary SQL commands via vectors related to "an
  inappropriate placeholder for 'numeric' fields."