[VIM] [CVENEW] New CVE CANs: 2013/03/19 10:00 ; count=14

coley at mitre.org coley at mitre.org
Tue Mar 19 09:04:29 CDT 2013 

======================================================
Name: CVE-2013-0205
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0205
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130121 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/21/5
Reference: MISC:https://drupal.org/node/1890222
Reference: CONFIRM:https://drupal.org/node/1890212
Reference: CONFIRM:https://drupal.org/node/1890216

Cross-site request forgery (CSRF) vulnerability in the RESTful Web
Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before
7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the
authentication of arbitrary users via unknown vectors.



======================================================
Name: CVE-2013-0206
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0206
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130121 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/21/5
Reference: MISC:https://drupal.org/node/1890318
Reference: CONFIRM:http://drupal.org/node/1883976
Reference: CONFIRM:http://drupal.org/node/1883978
Reference: CONFIRM:http://drupalcode.org/project/live_css.git/commitdiff/cb7005f
Reference: CONFIRM:http://drupalcode.org/project/live_css.git/commitdiff/ef323c8

Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x
before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote
authenticated users with the "administer CSS" permissions to execute
arbitrary code by uploading a file with an executable extension, then
accessing it via a direct request to the file in an unspecified
directory.



======================================================
Name: CVE-2013-0207
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0207
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130121 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/21/5
Reference: MISC:https://drupal.org/node/1890538
Reference: CONFIRM:http://drupalcode.org/project/mark_complete.git/commitdiff/a18c7b2
Reference: CONFIRM:https://drupal.org/node/1890566

Cross-site request forgery (CSRF) vulnerability in the Mark Complete
module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to
hijack the authentication of unspecified victims via unknown vectors.



======================================================
Name: CVE-2013-0224
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0224
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130124 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/25/4
Reference: MISC:https://drupal.org/node/1896714
Reference: CONFIRM:https://drupal.org/node/1895234

The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the
FFmpeg transcoder, allows local users to execute arbitrary PHP code by
modifying a temporary PHP file.



======================================================
Name: CVE-2013-0225
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0225
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130124 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/25/4
Reference: MISC:https://drupal.org/node/1896720
Reference: CONFIRM:http://drupalcode.org/project/user_relationships.git/commitdiff/17e94b9
Reference: CONFIRM:http://drupalcode.org/project/user_relationships.git/commitdiff/b9a4739
Reference: CONFIRM:https://drupal.org/node/1896272
Reference: CONFIRM:https://drupal.org/node/1896276

Cross-site scripting (XSS) vulnerability in the User Relationships
module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for
Drupal allows remote authenticated users with the "administer user
relationships" permission to inject arbitrary web script or HTML via a
relationship name.



======================================================
Name: CVE-2013-0226
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0226
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130124 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/25/4
Reference: MISC:https://drupal.org/node/1896752
Reference: CONFIRM:https://drupal.org/node/1896752

The Keyboard Shortcut Utility module 7.x-1.x before 7.x-1.1 for Drupal
does not properly check node restrictions, which allows (1) remote
authenticated users with the "view shortcuts" permission to read nodes
or (2) remote authenticated users with the "admin shortcuts"
permission to read, edit, or delete nodes via unspecified vectors.



======================================================
Name: CVE-2013-0227
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0227
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130124 Re: CVE request for Drupal contributed modules
Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/25/4
Reference: MISC:https://drupal.org/node/1896782
Reference: CONFIRM:http://drupalcode.org/project/search_api_sorts.git/commitdiff/f6cbf47
Reference: CONFIRM:https://drupal.org/node/1896756

Cross-site scripting (XSS) vulnerability in the Search API Sorts
module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated
users with certain roles to inject arbitrary web script or HTML via
unspecified field labels.



======================================================
Name: CVE-2013-0251
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0251
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130203 Re: CVE id request: latd
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/04/3
Reference: MLIST:[oss-security] 20130205 Re: CVE id request: latd
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/05/2
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699625

Stack-based buffer overflow in llogincircuit.cc in latd 1.25 through
1.30 and earlier allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a long string in the
llogin version.



======================================================
Name: CVE-2013-0327
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0327
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130220 Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/21/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=914875
Reference: CONFIRM:http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb
Reference: CONFIRM:https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
Reference: REDHAT:RHSA-2013:0638
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-0638.html

Cross-site request forgery (CSRF) vulnerability in Jenkins master in
CloudBees Jenkins before 1.502 and LTS before 1.480.3 allows remote
attackers to hijack the authentication of users via unknown vectors.



======================================================
Name: CVE-2013-0328
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0328
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130220 Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/21/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=914876
Reference: CONFIRM:http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb
Reference: CONFIRM:https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
Reference: REDHAT:RHSA-2013:0638
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-0638.html
Reference: BID:57994
Reference: URL:http://www.securityfocus.com/bid/57994

Cross-site scripting (XSS) vulnerability in CloudBees Jenkins before
1.502 and LTS before 1.480.3 allows remote attackers to inject
arbitrary web script or HTML via unspecified vectors.



======================================================
Name: CVE-2013-0329
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0329
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130220 Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/21/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=914877
Reference: CONFIRM:http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb
Reference: CONFIRM:https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
Reference: REDHAT:RHSA-2013:0638
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-0638.html

Unspecified vulnerability in CloudBees Jenkins before 1.502 and LTS
before 1.480.3 allows remote attackers to bypass the CSRF protection
mechanism via unknown attack vectors.



======================================================
Name: CVE-2013-0330
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0330
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130220 Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/21/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=914878
Reference: CONFIRM:http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb
Reference: CONFIRM:https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
Reference: REDHAT:RHSA-2013:0638
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-0638.html
Reference: BID:57994
Reference: URL:http://www.securityfocus.com/bid/57994

Unspecified vulnerability in CloudBees Jenkins before 1.502 and LTS
before 1.480.3 allows remote authenticated users with write access to
build arbitrary jobs via unknown attack vectors.



======================================================
Name: CVE-2013-0331
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0331
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20121206
Category: 
Reference: MLIST:[oss-security] 20130220 Re: Jenkins CVE request for Jenkins Security Advisory 2013-02-16
Reference: URL:http://www.openwall.com/lists/oss-security/2013/02/21/7
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=914879
Reference: CONFIRM:http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2013-02-16.cb
Reference: CONFIRM:https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
Reference: REDHAT:RHSA-2013:0638
Reference: URL:http://rhn.redhat.com/errata/RHSA-2013-0638.html
Reference: BID:57994
Reference: URL:http://www.securityfocus.com/bid/57994

CloudBees Jenkins before 1.502 and LTS before 1.480.3 allows remote
authenticated users with write access to cause a denial of service via
a crafted payload.



======================================================
Name: CVE-2013-2263
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2263
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130220
Category: 
Reference: CONFIRM:http://support.citrix.com/article/CTX136623
Reference: OSVDB:90905
Reference: URL:http://osvdb.org/90905
Reference: SECTRACK:1028255
Reference: URL:http://www.securitytracker.com/id/1028255
Reference: SECUNIA:52479
Reference: URL:http://secunia.com/advisories/52479
Reference: XF:citrix-gateway-unspec-security-bypass(82591)
Reference: URL:http://xforce.iss.net/xforce/xfdb/82591

Unspecified vulnerability in Citrix Access Gateway Standard Edition
5.0.x before 5.0.4.223524 allows remote attackers to access network
resources via unknown attack vectors.

More information about the VIM mailing list