Multiple vulnerabilities - Drupal <5.10 / <6.4 Cross site scripting (<5.10 / <6.4) Arbitrary file uploads via BlogAPI (<5.10 / <6.4) Cross site request forgeries (<5.10 / <6.4) Various Upload module vulnerabilities (<6.4) For more information: http://drupal.org/node/295053 (Can't find any CVE yet) Reproducible: Always
Secunia already picked this up, so it will get a CVE through that.
in cvs, no stable version
thanks, closing.
Thanks to hanno and Steven from mitre for the CVEs: CVE-2008-3740 - first XSS CVE-2008-3741 - second XSS. This has a different root cause so is SPLIT. CVE-2008-3742 - BlogAPI file uploads CVE-2008-3743 - first CSRF, for 6.x only CVE-2008-3744 - second CSRF, for 6.x/5.x (different affected versions so SPLIT) CVE-2008-3745 - Upload module priv escalation