Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234714 - www-apps/drupal <5.10 / <6.4 Multiple vulnerabilities (CVE-2008-{3740,3741,3742,3743,3744,3745)
Summary: www-apps/drupal <5.10 / <6.4 Multiple vulnerabilities (CVE-2008-{3740,3741,37...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://drupal.org/node/295053
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-14 09:05 UTC by Baptiste aka mRyOuNg
Modified: 2008-08-20 22:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Baptiste aka mRyOuNg 2008-08-14 09:05:25 UTC
Multiple vulnerabilities - Drupal <5.10 / <6.4

Cross site scripting (<5.10 / <6.4)
Arbitrary file uploads via BlogAPI (<5.10 / <6.4)
Cross site request forgeries (<5.10 / <6.4)
Various Upload module vulnerabilities (<6.4)

For more information: http://drupal.org/node/295053

(Can't find any CVE yet)

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-14 11:43:42 UTC
Secunia already picked this up, so it will get a CVE through that.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-08-18 11:35:04 UTC
in cvs, no stable version
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-18 13:41:22 UTC
thanks, closing.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-20 22:11:00 UTC
Thanks to hanno and Steven from mitre for the CVEs:

CVE-2008-3740 - first XSS
CVE-2008-3741 - second XSS.  This has a different root cause so is SPLIT.
CVE-2008-3742 - BlogAPI file uploads
CVE-2008-3743 - first CSRF, for 6.x only
CVE-2008-3744 - second CSRF, for 6.x/5.x (different affected versions so
                SPLIT)
CVE-2008-3745 - Upload module priv escalation