Drupal Security

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

Drupal Contributed Security - Wed, 12/13/2017 - 14:24
Project: 
Version: 
7.x-1.x-dev
Date: 
2017-December-13
Vulnerability: 
Cross Site Scripting
Description: 

This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium.

The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

Drupal Contributed Security - Wed, 12/06/2017 - 15:02
Project: 
Version: 
7.x-1.2
Date: 
2017-December-06
Vulnerability: 
Access Bypass
Description: 

This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.

Solution: 

Install the latest version:

Also see the Node feedback project page.

Reported By: 
Fixed By: 
Coordinated By: 

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

Drupal Contributed Security - Wed, 12/06/2017 - 14:44
Version: 
8.x-1.4
Date: 
2017-December-06
Vulnerability: 
Cross Site Request Forgery (CSRF)
Description: 

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

Solution: 

Install the latest version:

Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.

Also see the Configuration Update Manager project page.

Reported By: 
Fixed By: 
Coordinated By: 

Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

Drupal Contributed Security - Wed, 12/06/2017 - 14:41
Version: 
7.x-1.5
Date: 
2017-December-06
Vulnerability: 
Cross Site Scripting (XSS)
Description: 

This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. 

The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create feedback-collect content" or its related editing permissions.

Solution: 

Install the latest version:

Also see the Feedback Collect project page.

Reported By: 
Fixed By: 
Coordinated By: 

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

Drupal Contributed Security - Wed, 12/06/2017 - 14:37
Project: 
Version: 
7.x-2.10
Date: 
2017-December-06
Vulnerability: 
Remote Code Execution
Description: 

The Mailhandler module enables you to create nodes by email.

The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code.

The vulnerability applies to any active mailhandler mailbox, whether or not attachments are mapped to a field.

Mitigating factors:

  • For 7.x versions prior to 7.x-2.5, the vulnerability is mitigated by the fact that the 'MailhandlerCommandsFiles' plugin must be enabled. For later versions, the option to disable commands was removed, all commands are enabled in any case.
  • The vulnerability is mitigated by the fact that the attacker must pass the authentication step. The default authentication is that the attacker must send the crafted e-mail from a registered e-mail address.
  • The vulnerability is mitigated by the fact that the mailhandler mailbox e-mail address must be known by the attacker. This essentially depends on the usecase, e.g. Mailcomment module.
  • The vulnerability is mitigated by the fact that the webserver configuration must either permit the execution of some file extensions in the public filesystem or (Apache) has '.htaccess' support enabled through the AllowOverride directive.
Solution: 

Install the latest version:

Also see the Mailhandler project page.

Reported By: 
Coordinated By: 

bootstrap_carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

Drupal Contributed Security - Wed, 11/29/2017 - 14:21
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
Cross Site Scripting
Description: 

This module provides a way to make carousels, based on bootstrap-carousel.js.

The module doesn't sufficiently handle output of img HTML tag's alt property.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any similar node module permissions for creating/editing/removing the module-delivered content type.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

Drupal Contributed Security - Wed, 11/29/2017 - 14:17
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
Cross-site scripting
Description: 

This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials.

The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Cloud - Critical - CSRF - SA-CONTRIB-2017-086

Drupal Contributed Security - Wed, 11/29/2017 - 14:13
Project: 
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
CSRF
Description: 

This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack.

The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted deletion of audit reports.

This vulnerability is mitigated by the fact that the victim must have a role with the permission "access audit report".

Solution: 

Install the latest version:

  • If you use the Cloud module for Drupal 7, upgrade to Cloud 7.x-1.7
Reported By: 
Fixed By: 
Coordinated By: 

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

Drupal Contributed Security - Wed, 11/29/2017 - 14:09
Project: 
Version: 
7.x-10.x-dev
Date: 
2017-November-29
Vulnerability: 
Access bypass
Description: 

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue.

The modules have an access bypass vulnerability which allows untrusted users (including anonymous users) to view payments made by users within the system. No data can be modified, nor are any credit card numbers displayed.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Domain Integration - Moderately critical - Access bypass - SA-CONTRIB-2017-084

Drupal Contributed Security - Wed, 11/29/2017 - 14:01
Version: 
7.x-1.x-dev
Date: 
2017-November-29
Vulnerability: 
Access bypass
Description: 

This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user.

The Domain Integration Login Restrict sub-module doesn't sufficiently check these restrictions when using one-time logins.

This vulnerability is mitigated by the fact that an attacker must have an active account on one of the domains.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Drupal Contributed Security - Wed, 11/08/2017 - 13:22
Version: 
8.x-1.x-dev
Date: 
2017-November-08
Vulnerability: 
Access bypass
Description: 

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.

When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

Drupal Contributed Security - Wed, 11/08/2017 - 13:16
Version: 
8.x-1.x-dev
Date: 
2017-November-08
Vulnerability: 
Access bypass
Description: 

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms.

The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs on sites that either have another node access module (besides Permissions by Term) in use, or that have node listings that are accessible to unprivileged users and that don't directly filter out unpublished content.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

Drupal Contributed Security - Wed, 11/01/2017 - 14:22
Version: 
7.x-4.x-dev
Date: 
2017-November-01
Vulnerability: 
Cross Site Scripting
Description: 

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.

The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

Drupal Contributed Security - Wed, 10/25/2017 - 12:28
Project: 
Version: 
7.x-1.x-dev
Date: 
2017-October-25
Vulnerability: 
Cross-site scripting
Description: 

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

Solution: 

Install the latest version:

Also see the Mosaik project page.

Reported By: 
Fixed By: 
Coordinated By: 

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

Drupal Contributed Security - Wed, 10/25/2017 - 12:09
Version: 
7.x-1.x-dev
Date: 
2017-October-25
Vulnerability: 
Multiple Vulnerabilities
Description: 

This module enables you to display any number of galleries based on images located in the files folder.

The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited even by anonymous users and could potentially allow them to take over the site.

The module doesn't sufficiently confirm a user's intent to save checklist data, which allows for a cross-site request forgery (CSRF) exploit to be executed by unprivileged users.

Some configuration fields are not filtered while rendered, resulting in a cross-site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Brilliant Gallery".

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-78

Drupal Contributed Security - Wed, 10/18/2017 - 12:48
Project: 
Version: 
7.x-3.x-dev
7.x-2.x-dev
7.x-1.x-dev
Date: 
2017-October-18
Vulnerability: 
Cross site scripting
Description: 

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Edited October 19, 2017 to add a note about checking permissions.

Solution: 

Install the latest version:

  • If you use the Yandex.Metrics module for Drupal 7.x, upgrade to Yandex.Metrics 7.x-3.1 and also examine your site's permission configuration to ensure that only highly-trusted administrators have the "Administer Yandex.Metrics Settings" permission.

Also see the Yandex.Metrics project page.

Reported By: 
Fixed By: 
Coordinated By: 

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Drupal Contributed Security - Wed, 10/11/2017 - 13:01
Version: 
7.x-1.0
Date: 
2017-October-11
Vulnerability: 
Access Bypass
Description: 

The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

Drupal Contributed Security - Wed, 09/20/2017 - 14:48
Description

This module enables you to obtain the status for a user's Skype account

The module doesn't sufficiently sanitize the user input for their Skype ID.

This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Skype Status (skype_status) 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Skype Status module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Skype Status project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Page Access - Unsupported - SA-CONTRIB-2017-75

Drupal Contributed Security - Wed, 09/20/2017 - 14:43
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-75
  • Project: Page Access (third-party module)
  • Date: 20-September-2017
Description

This module will provide the option to give the View and Edit access for users and roles on each node pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Page Access module, there is nothing you need to do.

Solution

If you use the Page Access module for Drupal you should uninstall it.

Also see the Page Access project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

Drupal Contributed Security - Wed, 09/13/2017 - 12:50
Description

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.

The module doesn't sufficiently confirm a user's intent to take unflagging actions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Flag clear module versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag clear project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Syndicate content