Pere Orga

**Name of the Vulnerable Software and Affected Versions** Drupal Views module versions 7.x-3.x before 7.x-3.14 Drupal Views module in Drupal 8.x before 8.1.3 **Description** The issue might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information. **Recommendations** For Drupal 7.x with Views module versions 7.x-3.x before 7.x-3.14, update to version 7.x-3.14 or later. For Drupal 8.x before 8.1.3, update to version 8.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions prior to 7.44 **Description** The issue allows remote authenticated users to gain privileges through certain vectors involving contributed or custom code that triggers a rebuild of the user profile form. **Recommendations** For versions prior to 7.44, update to version 7.44 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x before 6.38 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a double-encoded URL in the `destination` parameter of the drupal goto function, specifically when used with PHP before 5.4.7. **Recommendations** For Drupal versions 6.x before 6.38, update to version 6.38 or later to resolve the issue. As a temporary workaround, consider restricting access to the drupal goto function to minimize the risk of exploitation. Avoid using the `destination` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x before 6.38 **Description** A CRLF injection issue exists in the drupal set header function when used with PHP before 5.1.2, allowing remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers. **Recommendations** For Drupal versions 6.x before 6.38, update to version 6.38 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x before 6.38 **Description** The issue might allow remote attackers to execute arbitrary code via vectors related to session data truncation when used with certain PHP versions. **Recommendations** For Drupal versions 6.x before 6.38, update to version 6.38 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 7.x prior to 7.43 Drupal versions 8.x prior to 8.0.4 **Description** The issue allows remote authenticated users to bypass access restrictions. This can lead to reading, deleting, or substituting a link to a file uploaded to an unprocessed form. The exploitation is possible by leveraging permission to create content or comment and upload files. **Recommendations** For Drupal 7.x versions prior to 7.43, update to version 7.43 or later. For Drupal 8.x versions prior to 8.0.4, update to version 8.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x through 6.37 Drupal versions 7.x through 7.42 Drupal versions 8.x through 8.0.3 **Description** The issue allows remote attackers to conduct open redirect attacks by leveraging custom code or a form shown on a 404 error page, related to path manipulation. **Recommendations** For Drupal versions 6.x through 6.37, update to version 6.38 or later. For Drupal versions 7.x through 7.42, update to version 7.43 or later. For Drupal versions 8.x through 8.0.3, update to version 8.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x through 6.37 Drupal versions 7.x through 7.42 **Description** The XML-RPC system might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. **Recommendations** For Drupal versions 6.x through 6.37, update to version 6.38 or later. For Drupal versions 7.x through 7.42, update to version 7.43 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x prior to 6.38 Drupal versions 7.x prior to 7.43 **Description** The issue might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content. **Recommendations** For versions 6.x prior to 6.38, update to version 6.38 or later. For versions 7.x prior to 7.43, update to version 7.43 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions prior to 7.41 jQuery Update module versions prior to 7.x-2.7 for Drupal LABjs module versions prior to 7.x-1.8 for Drupal **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is due to an incomplete fix for a previous issue. **Recommendations** For Drupal versions prior to 7.41, update to version 7.41 or later. For jQuery Update module versions prior to 7.x-2.7, update to version 7.x-2.7 or later. For LABjs module versions prior to 7.x-1.8, update to version 7.x-1.8 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 6.x through 6.36 Drupal versions 7.x through 7.38 **Description** A cross-site scripting (XSS) issue in the Autocomplete system allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. **Recommendations** For Drupal 6.x, update to version 6.37 or later. For Drupal 7.x, update to version 7.39 or later. As a temporary workaround, consider restricting access to the file upload functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo integration module versions 7.x-1.x before 7.x-1.2 for Drupal **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. **Recommendations** For versions prior to 7.x-1.2, update to version 7.x-1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Inline Entity Form module versions 7.x-1.x before 7.x-1.6 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users with permission to create or edit fields to inject arbitrary web script or HTML. **Recommendations** For Inline Entity Form module versions 7.x-1.x before 7.x-1.6, update to version 7.x-1.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Novalnet Payment Module Ubercart module for Drupal (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hostmaster (Aegir) module versions 6.x-2.x before 6.x-2.4 Hostmaster (Aegir) module versions 7.x-3.x before 7.x-3.0-beta2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a crafted file in the directory used to write Apache vhost files for hosted sites in a multi-site environment. **Recommendations** For Hostmaster (Aegir) module versions 6.x-2.x before 6.x-2.4, update to version 6.x-2.4 or later. For Hostmaster (Aegir) module versions 7.x-3.x before 7.x-3.0-beta2, update to version 7.x-3.0-beta2 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists in the Navigate module, allowing remote authenticated users with specific permissions to inject arbitrary web script or HTML. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Drupal Storage API module versions 7.x-1.x through 7.x-1.7 **Description** The issue allows remote attackers to have an unspecified impact via unknown vectors due to improper access restriction to Storage API fields attached to non-node entities. **Recommendations** For versions 7.x-1.x through 7.x-1.7, update to version 7.x-1.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eXtensible Catalog (XC) Drupal Toolkit (affected versions not specified) **Description** A cross-site request forgery (CSRF) issue exists in the XC NCIP Provider module, allowing remote attackers to hijack the authentication of users with the `administer ncip providers` permission. This can occur through crafted requests that alter NCIP providers. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Drupal Mobile sliding menu module versions 7.x-2.x before 7.x-2.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users with the `administer menu` permission to inject arbitrary web script or HTML. **Recommendations** For versions prior to 7.x-2.1, update to version 7.x-2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal (affected versions not specified) **Description** A cross-site scripting (XSS) issue in the Video Consultation module allows remote attackers to inject arbitrary web script or HTML. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.