[VIM] OG Features module bypass / CVE-2013-7067 version inconsistencies

Christey, Steven M. coley at mitre.org
Wed Dec 18 19:24:38 CST 2013


Refs: CONFIRM:https://drupal.org/node/2149743
MISC:https://drupal.org/node/2149791

X-Force, SecurityFocus, and OSVDB all state that  6.x-1.2 is the last version affected.  This is likely due to a segment in 2149791 that "versions prior to 6.x-1.3" are affected.  However, in the same advisory a couple lines later, the Drupal team says "upgrade to OG Features 6.x-1.4," linking to 2149743 - the maintainer's advisory, which identifies 6.x-1.4 and clearly mentions the vulnerability.

Since 6.x-1.3 was released on February 14, 2012 according to https://drupal.org/node/1080238, it is our opinion that 6.x-1.3 is also vulnerable.

- Steve



More information about the VIM mailing list