what you don't know can hurt you
Showing 1 - 4 of 4 RSS Feed

CVE-2013-6385

Status Candidate

Overview

The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.

Related Files

Debian Security Advisory 2828-1
Posted Dec 28, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2828-1 - Multiple vulnerabilities have been discovered in Drupal, a fully-featured request forgery protection, insecure pseudo random number generation, code execution and incorrect security token validation.

tags | advisory, vulnerability, code execution
systems | linux, debian
advisories | CVE-2013-6385, CVE-2013-6386
MD5 | b9051b551387ee554a124f54c5772677
Mandriva Linux Security Advisory 2013-287-1
Posted Dec 18, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-287 - Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive. Drupal's form API has built-in cross-site request forgery validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances. Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability. A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS. The Overlay module displays administrative pages as a layer over the current page , rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. The updated packages has been upgraded to the 7.24 version which is unaffected by these security flaws. Additional apache ACL restrictions has been added to fully conform to the SA-CORE-2013-003 advisory.

tags | advisory, javascript, xss, csrf
systems | linux, mandriva
advisories | CVE-2013-0316, CVE-2013-6385, CVE-2013-6386, CVE-2013-6387, CVE-2013-6388, CVE-2013-6389
MD5 | 95c6c9210b39646db094d3cebe807168
Debian Security Advisory 2804-1
Posted Nov 27, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2804-1 - Multiple vulnerabilities have been discovered in Drupal, a fully-featured pseudo random number generation, code execution, incorrect security token validation and cross-site scripting.

tags | advisory, vulnerability, code execution, xss
systems | linux, debian
advisories | CVE-2013-6385, CVE-2013-6386, CVE-2013-6387, CVE-2013-6388, CVE-2013-6389
MD5 | 0f89d5075b4f21108407d648d1b11702
Mandriva Linux Security Advisory 2013-287
Posted Nov 27, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-287 - Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive. Drupal's form API has built-in cross-site request forgery validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances. Various other issues have also been addressed. The updated packages has been upgraded to the 7.24 version which is unaffected by these security flaws.

tags | advisory, csrf
systems | linux, mandriva
advisories | CVE-2013-0316, CVE-2013-6385, CVE-2013-6386, CVE-2013-6387, CVE-2013-6388, CVE-2013-6389
MD5 | 6b765b3883a657882c48081af446ce92
Page 1 of 1
Back1Next

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close