Skip directly to content

Feed aggregator

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass

Drupal Contrib Security Announcements - Wed, 10/15/2014 - 16:56
Description

The oa_core module contains the base access control mechanism for the Open Atrium distribution (OA2). In OA2, file attachments are given the same access permission as the node they are attached to.

The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows anonymous users to view the file that is still attached to the previous revision.

This vulnerability is mitigated by the fact that it requires using Revisions and removing files attached to revisions. If revisions are disabled or files are not removed from nodes then access works as designed.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • oa_core 7.x-2.x versions prior to 7.x-2.22.

Drupal core is not affected. If you do not use the contributed Open Atrium module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CORE-2014-005 - Drupal core - SQL injection

Drupal Core Security Announcements - Wed, 10/15/2014 - 16:02
Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued

  • CVE-2014-3704
Versions affected
  • Drupal core 7.x versions prior to 7.32.
Solution

Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page.

Reported by
  • Stefan Horst
Fixed by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 10/15/2014 - 12:36
Description

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF.

The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • CKEditor 7.x-1.x versions prior to 7.x-1.15.
  • CKEditor 6.x-1.x versions prior to 6.x-1.14.
  • FCKeditor 6.x-2.x versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed CKEditor - WYSIWYG HTML editor module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CKEditor - WYSIWYG HTML editor project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

Drupal Contrib Security Announcements - Wed, 10/08/2014 - 13:40
Description

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes.

This module enables you to inadvertently allow an author of a node view/edit/delete the node in question (who may not have access). The module over-eagerly grants read/write/delete access to all authors of nodes.

In addition, a node that is unpublished, but is granted node specific permissions will obey the node specific permissions and not the unpublished content permission for the role.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Nodeaccess 6.x-1.x versions prior to 6.x-1.5.
  • Nodeaccess 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Nodeaccess module,
there is nothing you need to do.

Solution

Ensure that you are using the latest version of the Nodeaccess module when installing. For existing nodes, please ensure that the author permissions are correct.

Also see the Nodeaccess project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-096 - OAuth2 Client - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 10/08/2014 - 13:33
Description

OAuth2 Client is an API support module, enabling other modules to connect to services using OAuth2 authentication.

Within its API code the Client class exposes variables in an error message, which originate from a third party source without proper sanitisation thus leading to a Cross Site Scripting vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • OAuth2 Client 7.x-2.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed OAuth2 Client module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the OAuth2 Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/24/2014 - 19:30
Description

The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field.

The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Safeword 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Safeword module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Safeword project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Categories: Security posts

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/24/2014 - 19:29
Description

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.

The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Webform Patched 6.x-3.x versions prior to 6.x-3.20.
  • Webform Patched 7.x-3.x versions prior to 7.x-3.20.

Drupal core is not affected. If you do not use the contributed Webform Patched module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Patched project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-093 - Twilio - Information Disclosure

Drupal Contrib Security Announcements - Wed, 09/24/2014 - 19:29
Description

This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service.

The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access administration pages" permission which is frequently granted to less-trusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Twilio 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Twilio module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Twiliio module for Drupal 7.x, upgrade to Twilio 7.x-1.9

Also see the Twilio project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass

Drupal Contrib Security Announcements - Wed, 09/24/2014 - 19:21
Description

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.

New user's password set to weak password in _user_resource_create()

When creating a new user account via Services, the new user's password was set to a weak password.

This issue is mitigated by the fact that the user resource must be enabled (or least have been enabled in the past) and new user registration permitted via Services.

Action required: This release of Services comes with an interface and a drush command to perform actions in order to secure your site and get rid of this vulnerability. After installing this release and running the regular database updates, make sure to read all the information provided at admin/config/services/services-security, and pick the option most suited to your site. For example, you can reset the password of all user accounts that have been created since August 30th, 2013 (recommended).

Unfiltered JSONP callback parameter (XSS)

The JSONP response of a callback parameter is unfiltered and outputs raw HTTP data. This can lead to arbitrary JavaScript execution.

This issue is mitigated by the fact that JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or application/javascript if the "xml" formatter is enabled.

Services module now restricts callback parameters to alphanumeric characters only and a hard limit of 60 characters.

Flood control for user login bypass

Flood control was not properly enforced leaving it vulnerable to brute force attacks. Services now implements flood control just like core Drupal does.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version:

  1. If you use the Services module for Drupal 7.x, upgrade to Services 7.x-3.10
  2. follow the security update instructions at admin/config/services/services-security

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 15:07
Description

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses.

Cross Site Scripting (XSS)

When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered.

This vulnerability is mitigated by the fact that a user must have the "Create Survey" permission to be able to set the survey titles.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • survey_builder 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Survey Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Survey Builder project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-090 Speech recognition - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 14:55
Description

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface.

Cross Site Scripting (XSS)

The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer speech".

Cross Site Request Forgery (CSRF)

The module enables in-place configuration of form options via AJAX requests, but it doesn't sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations.

This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission "administer speech".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Speech recognition.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Speech recognition module,
there is nothing you need to do.

Solution

If you use the Speech recognition module you should uninstall it.

Also see the Speech recognition project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 14:40
Description

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site.

The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that an attacker would need permission to create nodes or entities using the Geofield widget.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Geofield Yandex Maps 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Geofield Yandex Maps module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Geofield Yandex Maps project page.

Reported by
  • Matt V. (provisional member of the Drupal Security Team)
Fixed by
  • Matt V. (provisional member of the Drupal Security Team)
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/17/2014 - 14:11
Description

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
  • Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at href="https://www.drupal.org/contact">https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Drupal Contrib Security Announcements - Wed, 09/10/2014 - 17:23
Description

Drupal Commerce is used to build eCommerce websites and applications of all sizes.

The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.

This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.

Solution

Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don't run the default update function you need to make sure yourself that user names are not valid email addresses.

To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.

Then install the latest version:

In case you don't want to apply the default update function you can just run update.php without the variable and the update function will be skipped.

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 09/10/2014 - 15:04
Description

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.

User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.

The vulnerability is only present when the custom breadcrumb is configured with the <none> special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier <none> is not used.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
  • Custom Breadcrumbs 6.x-2.x versions are NOT affected
  • Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1

Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Breadcrumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

Drupal Contrib Security Announcements - Wed, 09/10/2014 - 14:58
Description

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.

The per-user order history view is not properly protected.

This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order IDs, dates, statuses and totals with the default configuration.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

Drupal Contrib Security Announcements - Wed, 09/03/2014 - 14:08
Description

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook.

The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive server files that are readable by the webserver user.

This vulnerability is mitigated by the fact that an attacker must know or guess the relative path out of the temporary directory and to the sensitive files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Avatar_Uploader 6.x-1.x versions prior to 6.x-1.2
  • Avatar_Uploader 7.x-1.x versions prior to 7.x-1.0-beta5

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by
  • Greg Knaddison of the Drupal Security Team
  • Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 6.xDrupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/27/2014 - 14:17
    Description

    This module allows you to create links which trigger arbitrary functionality with the help of the Rules module.

    The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer rules links".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Rules Link 7.x-1.x versions prior to 7.x-1.1.

    Drupal core is not affected. If you do not use the contributed Rules Link module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Rules Link project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies,
    writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/20/2014 - 16:16
    Description

    The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules.

    The Marketo MA Webform and Marketo MA User modules included with the Marketo MA module incorrectly print field titles without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.

    The vulnerability in Marketo MA Webform is mitigated by the fact that an attacker must have permissions which allows them to create Webform fields, "create webform content" and manage their Marketo relationship, "administer marketo webform settings".

    The vulnerability in Marketo MA User is mitigated by the fact that an attacker must have a permission which allows them to create fields (such as "administer users") and manage Marketo MA configuration, "administer marketo".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Marketo MA 7.x-1.3 and all earlier version.

    Drupal core is not affected. If you do not use the contributed Marketo MA module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Marketo MA project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Categories: Security posts

    SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

    Drupal Contrib Security Announcements - Wed, 08/20/2014 - 14:08
    Description

    The Site Banner module enables you to display a banner at the top and bottom of a Drupal site.

    This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting (XSS) vulnerability.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer contexts" from the Context UI module.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance
      with Drupal Security Team processes.
    Versions affected
    • Site Banner 7.x-4.x versions prior to 7.x-4.0.
    • Site Banner 7.x-1.x versions prior to 7.x-1.1.

    Drupal core is not affected. If you do not use the contributed module,
    there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Drupal version: Drupal 7.x
    Categories: Security posts

    Pages