Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request for Drupal core, and contributed modules
From: cve-assign () mitre org
Date: Wed, 11 Dec 2013 23:44:44 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA-CONTRIB-2013-093   CVE-2013-7063

SA-CONTRIB-2013-094   CVE-2013-7064

Note that this says 'The module doesn't sufficiently fiter [sic] and
validate configuration values entered by administrators. This
vulnerability is mitigated by the fact that an attacker must have a
role with the permission "Administer EU Cookie Compliance popup".' Our
perspective is that, typically, web applications do not have a threat
model in which crafted configuration settings entered by admins are a
vector that qualifies for a CVE assignment. You, in the context of
representing the "vendor" of the module, are allowed to have that
threat model if you want to. (This is entirely reasonable if an XSS
attack would realistically result in privilege escalation to a
higher-level admin account.) If you want to reconsider, we can
optionally reject this CVE for you. Otherwise, it will remain a valid
(and non-disputed) CVE.


SA-CONTRIB-2013-095
  Posting content into groups where a user is not a member CVE-2013-7065
  Inconsistent access checking in posting content CVE-2013-7068

SA-CONTRIB-2013-096   CVE-2013-7066

SA-CONTRIB-2013-097   CVE-2013-7067

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSqT71AAoJEKllVAevmvms7aAH/j6E+fBmktGi/1OQgPxDJ/6R
Fsd45/cHZPqRR3Yx95hQEpCP2lSBkzfdJuyqpq2rrKU0x34nogR9eotbt5rk06qY
jM9Wr1yEY6VWtvkF+7PT7OtYY4eBk3GR66iPwJSxE+za2j6xxfAegyYxBYPnNyZ3
StE20jX4Wr01TPOEfS6mJYJuiOcHbJphf5w2UuGXXnUvVAR7MT5l0d2LJcKwuxCl
2pkD8jWgkKtPgr+RyYUHdk8LhzIpo6ENLtruJRY66wz0sF+XRxds9jyvQovsuhJy
SuJQ1iHK9gf3k/dL+84YA2VpPb1GNKQVjER1AqALpqjWWiwqotySqEQ3GeDW3sk=
=0M9J
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]