Drupal Contributed Security

Syndicate content
Updated: 1 day 7 hours ago

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042

Wed, 04/12/2017 - 15:48
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-042
  • Project: Media (third-party module)
  • Date: 12-Apr-2017
Description

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'.

Versions affected
  • Only the 1.x branch is affected. Version 2.0 does not have this vulnerability.

Drupal core is not affected. If you do not use the contributed Media module, there is nothing you need to do.

Solution

If you use the Media 1.x branch you should upgrade to version 2.0 or later.

See the Media 2.0 release notes for more information on how to upgrade (it's more complex than most contrib upgrades - for example, it involves other contrib modules moving from media_entity to file_entity)!

Also see the Media project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2017-041

Wed, 04/12/2017 - 14:01
Description

Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public" content might be restricted to only logged in users by disabling anonymous access to the site.

The oa_core and oa_comment modules do not properly respect the "view published content" permission and allows anonymous users to view this "public" content regardless of the permission setting.

This only affects sites that have disabled the "view published content" permission for anonymous users, and only affects a small number of views.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium distribution 7.x-2.x versions prior to 7.x-2.615
  • oa_core 7.x-2.x versions prior to 7.x-2.84.
  • oa_comment 7.x-2.x versions prior to 7.x-2.14.

Drupal core is not affected. If you do not use the contributed Open Atrium Core module, there is nothing you need to do.

Solution

Install the latest version of Open Atrium. Be sure to revert the following features:
oa_comments, oa_core, oa_news, oa_river, oa_section, oa_sections

Also see the Open Atrium project page.

Reported by Fixed by
  • Mike Potter the distribution maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Wed, 04/12/2017 - 13:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-040
  • Project: @Base (third-party module)
  • Date: 2017-April-12
Description

Provide some more API for developer to work with Drupal 7.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions.

Drupal core is not affected. If you do not use the contributed @Base module, there is nothing you need to do.

Solution

If you use the @Base module for Drupal you should uninstall it.

Also see the @Base project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39

Wed, 04/12/2017 - 13:03
Updates

20170414 - A new module maintainer has been found and a new release for this module has been published.

Description

Provides integration between the Scheduler module and the Workbench Moderation module.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Scheduler Workbench Integration module, there is nothing you need to do.

Solution

If you use the Scheduler Workbench Integration module for Drupal you should uninstall it.

Also see the Scheduler Workbench Integration project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

References - Unsupported - SA-CONTRIB-2017-38

Wed, 04/12/2017 - 12:54
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-38
  • Project: References (third-party module)
  • Date: 12-Apr-2017
Updates 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2

2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.

The specific details of the original vulnerability cannot be shared. While we also cannot promise a specific date for a fix, the Drupal Security team will work with the potential new maintainer to get this issue resolved as soon as possible.

Description

Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.

This project provides D7 versions of the 'node_reference' and 'user_reference' field types, that were part of the CCK package in D6, at functional parity with the D6 counterparts.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed References module, there is nothing you need to do.

Solution

If you use the References module for Drupal you should uninstall it.

Also see the References project page.

Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Filemaker Form - Critical - Unsupported - SA-CONTRIB-2017-37

Wed, 04/12/2017 - 12:38
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-37
  • Project: Filemaker Form (third-party module)
  • Date: 12-Apr-2017
Description

Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Filemaker Form module, there is nothing you need to do.

Solution

If you use the Filemaker Form module for Drupal you should uninstall it.

Also see the Filemaker Form project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Legal - Critical - Unsupported - SA-CONTRIB-2017-36

Wed, 04/12/2017 - 12:32
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-36
  • Project: Legal (third-party module)
  • Date: 12-Apr-2017
Description

Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Legal module, there is nothing you need to do.

Solution

If you use the Legal module for Drupal you should uninstall it.

Also see the Legal project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via
the contact form at https://www.drupal.org/contact.

Learn more about the
Drupal Security team and their policies
, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Book access - Critical - Unsupported - SA-CONTRIB-2017-35

Wed, 04/12/2017 - 12:25

  • Advisory ID: DRUPAL-SA-CONTRIB-2017-35
  • Project: Book access (third-party module)
  • Date: 12-April-2017
Description

This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have specific rights for specific books.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Book access module, there is nothing you need to do.

Solution

If you use the Book access module for Drupal you should uninstall it.

Also see the Book access project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Auto Login URL - Less Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-034

Wed, 04/05/2017 - 10:36
Description

This module lets you create auto login URLs programmatically on demand and through tokens.

The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user.

This vulnerability is mitigated by the fact that an attacker needs to be able to exactly guess the second when a login URL was generated for a user. Furthermore the attacker also needs to know the victim user ID and login destination of the generated login URL. The attack is also mitigated by the fact that the module has flood control, so an attacker has only limited attempts to guess login URLs.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Auto Login URL 8.x-1.x versions prior to 8.x-1.2.
  • Auto Login URL 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Auto Login URL module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Auto Login URL project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033

Wed, 03/22/2017 - 12:40
Description

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field.

When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access.

This is mitigated by the fact that a user must have access to a text format that uses Linkit.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Linkit 8.x-4.x versions prior to 8.x-4.3.

Drupal core is not affected. If you do not use the contributed Linkit- Enriched linking experience module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 8.x, upgrade to Linkit 8.x-4.3

Also see the Linkit- Enriched linking experience project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032

Wed, 03/22/2017 - 12:37
Description

This module enables you to show the office hours of a location to the public.

The module doesn't sufficiently filter user input for malicious Cross Site Scripting (xss).

This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Office Hours 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Office Hours module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Office Hours project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

Wed, 03/15/2017 - 14:15
Description

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions.

The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes may be editable in ways a site admin may not expect.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Private 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Private module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Private module 7.x-1.x your site may be at risk. The only completely safe option is to take the website off-line. In most cases, disabling the module will not mitigate the vulnerabilities as that will expose even more private information.
  • A new maintainer has developed a beta secure version of the module using the 7.x-2.x branch. This is a partial rewrite and needs further testing. Please test it and provide bug reports and help developing patches.

Also see the Private project page.

Reported by

Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

Wed, 03/08/2017 - 13:11
Description

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process.

The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account.

In order to exploit, the attacker must have an active account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • PRLP versions prior to 8.x-1.3

Drupal core is not affected. If you do not use the contributed Password Reset Landing Page (PRLP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.3 (the latest 8.x release as of this advisory date).

Also see the Password Reset Landing Page (PRLP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

Wed, 03/08/2017 - 11:39
Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and the Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser. The module does not create endpoints by default, however the "application/vnd.php.serialized" request parser is enabled by default on any endpoints created by a site builder.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.19.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version:

You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server

However, installing the latest version of the Services module is highly recommended.

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edited 2017 March 9th to add details about which elements of the vulnerability are default or not.

Drupal version: 

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Wed, 03/01/2017 - 13:58
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-028
  • Project: breakpoint panels (third-party module)
  • Version: 7.x
  • Date: 2017-March-01
Description

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed breakpoint panels module, there is nothing you need to do.

Solution

If you use the breakpoint panels module for Drupal 7.x you should uninstall it.

Also see the breakpoint panels project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

AES - Critical - Unsupported - SA-CONTRIB-2017-027

Wed, 03/01/2017 - 11:50
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-027
  • Project: AES encryption (third-party module)
  • Version: 7.x, 8.x
  • Date: 2017-March-01
Description

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution section for details on how to migrate to a supported and more secure AES encryption module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption module, there is nothing you need to do.

Solution

If you're using the AES only because Drupal Remote Dashboard (DRD) and Drupal Remote Dashboard Server (DRD Server) depend on it, then update to the latest versions of DRD or DRD Server and disable the AES module -- those modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES module:

  • If you don't have a recent backup, make a backup of your site's database and codebase. Consider taking your site offline (e.g. using Drupal's maintenance mode) as some features may not work properly during this upgrade process.
  • Do NOT follow the normal uninstall process for the AES module. The uninstall process would delete your encryption key and make it impossible to recover your data! Instead, disable the module and delete the AES module directory without uninstalling the module.
  • Download and extract the latest release of Real AES
  • Download and extract the latest release of Key
  • Enable the Real AES, Key and AES compatibility modules
  • Use the Key module to create a new 128-bit encryption key with the name "Real AES Key".
  • Clear all your Drupal caches.
  • Modules that depend on AES and store encrypted data will continue to function as normal. They should decrypt and re-encrypt any stored data. The Real AES module provides some functions from the AES module (like, aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.

More detailed instructions available on the AES project page

Also see the AES encryption project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026

Wed, 03/01/2017 - 11:43
Description

This module enables you to display one simple location map via Google Maps.

The module doesn't sufficiently sanitize user input in the configuration text fields of the module (allows any tags and does not respect text format configuration).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer locationmap".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • locationmap 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Location Map module, there is nothing you need to do.

Solution

Install locationmap-7.x-2.4

Also see the Location Map project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Wed, 03/01/2017 - 11:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-025
  • Project: Remember Me (third-party module)
  • Version: 7.x
  • Date: 2017-March-01
Updates

2017-04-23 — This issue has been resolved with the release of remember_me 7.x-1.1

Description

Remember me is a module that allows users to check "Remember me" when logging in.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Remember Me module, there is nothing you need to do.

Solution

If you use the remember_me module for Drupal 7.x you should uninstall it.

Also see the remember_me project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

RestWS - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-024

Wed, 03/01/2017 - 11:31
Description

RestWS makes Drupal Entity data available in a REST API.

The module doesn’t sufficiently check for access to properties when filtering queries.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties. And the attacker can only query on the property equalling a value supplied by the attacker.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • restws 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the restws 2.x module for Drupal 7.x, upgrade to restws 7.x-2.7

Also see the RESTful Web Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

DownloadFile - Critical - Unsupported - SA-CONTRIB-2017-023

Wed, 02/22/2017 - 13:22
Description

DownloadFile is a module to direct download files or images.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed download file module, there is nothing you need to do.

Solution

If you use the download_file module for Drupal 7.x you should uninstall it.

Also see the download file project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: