* Advisory ID: DRUPAL-SA-CONTRIB-2010-083
* Project: UC2Checkout, UCPaypal, UC Cart LInks (third-party modules in the
Ubercart Project)
* Version: 5.x, 6.x
* Date: 2010-Aug-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass, Cross Site Request Forgery

* Advisory ID: DRUPAL-SA-CONTRIB-2010-082
* Project: Printer, e-mail and PDF versions (third-party module)
* Version: 5.x, 6.x
* Date: 2010-August-11
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Local file read access

* Advisory ID: DRUPAL-SA-CONTRIB-2010-081
* Project: FileField Sources (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Arbitrary Code Execution

* Advisory ID: DRUPAL-SA-CONTRIB-2010-080
* Project: Privatemsg (third-party module)
* Version: 6.x
* Date: 2010-August-11
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Cross-Site Scripting

August 11, 2010

Three new modules for ATutor 2.0 were release today. They can be downloaded from the ATutor module site at the link below, or they can be imported directly from atutor.ca using the ATutor administrator's Module Manager. For more about modules, or to download them, visit:

* Advisory ID: DRUPAL-SA-CONTRIB-2010-078
* Project: Kaltura (third-party module)
* Versions: 5.x, 6.x
* Date: 2010-July-28
* Security risk: Less Critical
* Exploitable from: Remote
* Vulnerability: Information disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2010-074
* Projects: Drupad (third-party module)
* Version: 6.x
* Date: 2010-07-14
* Security risks: Critical
* Exploitable from: Remote
* Vulnerability: CSRF

July 6, 2010

ATutor 2.0 has now been released. This version has some significant new features and represents a change of direction for ATutor software from its LMS roots to a collection of tools for developing online classrooms. ATutor administrators should upgrade their systems at their earliest convenience.

UPGRADING
---------

Prior to upgrading, you should ensure that:

* Your system meets or exceeds Drupal's minimum requirements as shown at
http://drupal.org/requirements.
* You have a backup of all your relevant data (#1).
* Custom and contributed modules have been checked for compatibility (#11).
* Custom and contributed themes have been checked for compatibility (#11).
* You have read through this entire document.

Project: Joomla!

• SubProject: All
• Severity: High
• Versions: 1.5.17 and all previous 1.5 releases
• Exploit type: XSS Injection
• Reported Date: 2010-May-13
• Fixed Date: 2010-May-28
• Description
  Back-end user can inject javascript in various administrator screens.