Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=homepage-ng.git;a=commitdiff;h=e3f8776a54921928f2bea5514b09699ae7096252

commit e3f8776a54921928f2bea5514b09699ae7096252
Author: Miklos Vajna <vmik...@frugalware.org>
Date:   Tue Aug 10 17:46:45 2010 +0200

FSA684-drupal-views

diff --git a/frugalware/xml/security.xml b/frugalware/xml/security.xml
index 6135116..1af0320 100644
--- a/frugalware/xml/security.xml
+++ b/frugalware/xml/security.xml
@@ -26,6 +26,21 @@

<fsas>
<fsa>
+               <id>684</id>
+               <date>2010-08-10</date>
+               <author>Miklos Vajna</author>
+               <package>drupal-views</package>
+               <vulnerable>5.x_1.7-1locris1</vulnerable>
+               <unaffected>5.x_1.8-1locris1</unaffected>
+               <bts>http://bugs.frugalware.org/task/4246</bts>
+               <cve>No CVE, see http://drupal.org/node/829840.</cve>
+               <desc>Multiple vulnerabilities have been reported in the Views 
module for Drupal, which can be exploited by malicious people to conduct 
cross-site request forgery, and cross-site scripting attacks.
+                       1) The Views UI module allows users to perform certain 
actions via HTTP requests without performing any validity checks to verify the 
requests. This can be exploited to e.g. enable or disable all Views in a site 
when a logged-in user visits a malicious site.
+                       This vulnerability is reported in versions prior to 
5.x-1.8 and 6.x-2.11.
+                       Successful exploitation requires that Views UI module 
is enabled.
+                       2) Input passed via URLs or aggregator feed titles are 
not properly sanitised before being used. This can be exploited to insert 
arbitrary HTML and script code, which will be executed in a user's browser 
session in context of an affected site when the malicious data is returned to 
the user.</desc>
+       </fsa>
+       <fsa>
<id>683</id>
<date>2010-08-10</date>
<author>Miklos Vajna</author>
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to