Skip directly to content

Feed aggregator

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002

Drupal Core Security Announcements - Wed, 06/15/2016 - 18:45
Description Saving user accounts can sometimes grant the user all roles (User module - Drupal 7 - Moderately Critical)

A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.

This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.

Views can allow unauthorized users to see Statistics information (Views module - Drupal 8 - Less Critical)

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

The same vulnerability exists in the Drupal 7 Views module (see SA-CONTRIB-2016-036).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 7.x versions prior to 7.44
  • Drupal core 8.x versions prior to 8.1.3
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Saving user accounts can sometimes grant the user all roles:

Views can allow unauthorized users to see Statistics information:

Fixed by

Saving user accounts can sometimes grant the user all roles:

Views can allow unauthorized users to see Statistics information:

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x
Categories: Security posts

Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

Drupal Contrib Security Announcements - Wed, 06/15/2016 - 18:42
Description

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

The same vulnerability exists in the Drupal 8 core Views module SA-CORE-2016-002

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions prior to 7.x-3.14.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035

Drupal Contrib Security Announcements - Wed, 06/08/2016 - 17:21
Description

This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module.

The module doesn't sufficiently sanitize titles when presenting them on this interface.

This vulnerability is mitigated by the fact that an attacker must have have the ability to use outline designer, which is generally reserved for content authors and system admins.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Outline Designer 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Outline Designer module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Outline Designer project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Node Embed - Denial of Service - Less critical - SA-CONTRIB-2016-034

Drupal Contrib Security Announcements - Wed, 06/08/2016 - 14:23
Description

This module enables you to embed the contents of one node in the body field of another.

The module doesn't sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content which allows other content to be embedded.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Node Embed 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Node Embed module, there is nothing you need to do.

Solution
  • If you use the Node Embed module for Drupal 7.x you should uninstall it.

Also see the Node Embed project page.

Reported by Fixed by
  • Not applicable.
Coordinated by
  • Not applicable.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

Drupal Contrib Security Announcements - Wed, 06/08/2016 - 13:58
Description

This module enables you to make Panels pages (and other pages managed by CTools' Page Manager submodule) indexible and searchable through the standard Search module provided in Drupal core.

The module doesn't block access to Page Manager pages which have been disabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Page Manager Search 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Page manager search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Page manager search project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033

Drupal Contrib Security Announcements - Wed, 06/08/2016 - 13:56
Description

This module enables you to expose content, users and comments via a JSON API.
The module contains multiple vulnerabilities including

  • Node access bypass
  • Comment access bypass
  • User enumeration
  • Field access bypass
  • User registration bypass
  • Blocked user login
  • Session name guessing
  • Session enumeration

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed REST JSON module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed REST/JSON module, there is nothing you need to do.

Solution

If you use the REST JSON module for Drupal 7.x you should uninstall it.

Also see the REST/JSON project page.

Reported by Fixed by

Not applicable

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031

Drupal Contrib Security Announcements - Wed, 06/01/2016 - 13:14
Description

This module enables you to enter opening hours for locations in a highly detailed way.

The module doesn't sufficiently escape input data from user input.

This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit opening hours for content”, or have permissions to edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Opening Hours 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Opening hours module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Opening hours project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

Drupal Contrib Security Announcements - Wed, 05/25/2016 - 15:50
Description

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • XML Sitemap 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed XML Sitemap module, there is nothing you need to do.

Solution

Install the latest version:

Also see the XML Sitemap project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Views Megarow - Critical - Access Bypass - SA-CONTRIB-2016-029

Drupal Contrib Security Announcements - Wed, 05/18/2016 - 17:54
Description

This module enables you to display content from any path within a list of content inside a view or form. The content is displayed in a modal-like format when the user clicks on the "view link" or any custom links created.

The module doesn't sufficiently check access permissions when the user clicks on a views megarow link.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views megarow 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Views Megarow module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views Megarow project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

Drupal Contrib Security Announcements - Wed, 05/18/2016 - 17:54
Description

This module enables you to allow users to enter a special registration code in order to sign up for the site.

The module doesn't sufficiently validate the entered registration code

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Registration Codes 7.x-2.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Registration codes project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

Drupal Contrib Security Announcements - Wed, 05/18/2016 - 17:29
Description

This module enables you to view dropbox files in your Drupal site.

The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.

Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.

The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All dropbox_client 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the dropbox_client module for Drupal 7.x, upgrade to dropbox_client 7.x-4.0
  • Versions 3.x is no longer supported

Also see the Dropbox Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

Drupal Contrib Security Announcements - Wed, 05/04/2016 - 16:43
Description

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content.

When combined with the Open Atrium Mailhandler app, incoming email replies to notifications can be processed as new comments. Notifications generated from these imported replies can be sent to the wrong list of users.

This vulnerability is mitigated by the fact that it depends on the specific configuration of the mailhandler that is processing notifications.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • oa_notifications 7.x-2.x versions prior to 7.x-2.30.
  • Open Atrium 7.x-2.x versions prior to 7.x-2.63.

Drupal core is not affected. If you do not use the contributed Open Atrium Notifications module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium Notifications project page.

Reported by
  • Mike Potter provisional member of the Drupal Security Team and Open Atrium maintainer.
Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

Drupal Contrib Security Announcements - Wed, 05/04/2016 - 16:06
Description

This module enables you to create fieldable entities that have special integration with Panels.

The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor (IPE), allowing for specially crafted XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to create FPP objects, and then either:

  • a user with permission to use the Panels In-Place-Editor (IPE) must visit a page that the FPP object is added to; or
  • a user with permission to use the Panels admin interface must edit a page the FPP object is added to.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

EPSA Crop - Image Cropping - Critical -XSS - SA-CONTRIB-2016-024 - Unsupported

Drupal Contrib Security Announcements - Wed, 04/20/2016 - 16:51
Description

EPSA Crop is a module that allows a user to choose coordinates for different presets on an image. If a user defines coordinates EPSACrop will override the Imagecache process and will set new coordinates.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of EPSA Crop module.

Drupal core is not affected. If you do not use the contributed EPSA Crop module, there is nothing you need to do.

Solution

If you use the EPSA Crop module for Drupal 7.x you should uninstall it.

Also see the EPSA Crop project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023

Drupal Contrib Security Announcements - Wed, 04/20/2016 - 14:24
Description

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups.

Under the certain field configurations a user is able to subscribe without approval to group that requires approving the membership. Depending on permissions, the user may be able to post content to that group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Organic groups 7.x-2.x versions prior to 7.x-2.9.

Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Organic groups project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

Drupal Contrib Security Announcements - Wed, 04/20/2016 - 13:31
Description

This module enables you to build searches using a wide range of features, data sources and backends.

Search index not updated by node access changes

The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing node access are used. This could lead to nodes or comments being listed in search results to which the visitor viewing the results should not have access.

This vulnerability is mitigated by the fact that this only occurs in uncommon setups, and that only nodes that were already accessible to the user at some point can be displayed.

XSS vulnerability in Views search results

The module doesn't sufficiently sanitize field values returned directly from the search server (e.g., Solr).

This vulnerability is mitigated by the fact that several components/modules need to be configured in a specific way to allow this vulnerability to be exploited.

Doesn't check for "access comments" permission when searching for comments

The module doesn't sufficiently check the user's permissions when comments are searched.

This vulnerability is mitigated by the fact that it only occurs in specific site configurations:

  • A search index with item type "Comment".
  • Using the "Access check" data alteration for protection.
  • The site allowing certain users to view content (nodes), but not comments.
  • A search page for the comment index must be accessible for these users.
CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API 7.x-1.x versions prior to 7.x-1.18.

Drupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021

Drupal Contrib Security Announcements - Wed, 04/13/2016 - 18:30
Description

This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.

The module doesn't prevent form cache from leaking between anonymous users which could result in information disclosure, where one user sees form data generated for another.

This vulnerability is mitigated by the fact that it only affects AJAX forms which expose sensitive data to anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Boost 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Boost module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Boost module for Drupal 7.x, upgrade to Boost 7.x-1.1

Also see the Boost project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020

Drupal Contrib Security Announcements - Wed, 04/13/2016 - 15:50
Description

This module enables you to organize and export configuration data.

The module doesn't sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the "manage features" permission to request a special URL, it could lead to clearing the cache repeatedly and a Denial of Service (DoS) attack.

This vulnerability is mitigated by the fact that the admin with the "manage features" permissions must be logged in when they request the special URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Features 7.x-2.x versions prior to 7.x-2.9.
  • Features 7.x-1.x which is no longer supported.

Drupal core is not affected. If you do not use the contributed Features module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Features project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

Drupal Contrib Security Announcements - Wed, 04/06/2016 - 16:16
Description

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the Commerce Product module returns a JSON array of matching product SKUs / titles for you to select.

The module doesn't sufficiently restrict access to the autocomplete path under the default configuration of the field. A visitor to the website could browse directly to the autocomplete path to see a list of products that would ordinarily be returned to the autocomplete JavaScript to populate the autocomplete dropdown. Default parameters on the function used to generate this list cause it to bypass the product access control check that would ordinarily restrict product visibility to end users based on your site's permissions.

This vulnerability is mitigated by the fact that an attacker must know what the autocomplete path is and what arguments to include in it to generate a valid response based on your site's architecture. Additionally, in most eCommerce sites, product SKUs and titles are not by themselves considered private information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.13.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

Drupal Contrib Security Announcements - Wed, 04/06/2016 - 15:13
Description

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

Open redirect

The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an open redirect vulnerability. This vulnerability can be used by any attacker crafting a special login link.

Information disclosure

The module doesn't check the tokens in the "destination" redirect value allowing an attacker to specify arbitrary tokens. Any token value is exposed in the redirect URL.

This vulnerability is mitigated by the fact that there must be secret data on the site that is exposed through the token system (for example an access protected field). An attacker must have a knowledge on what fields/tokens contain secret information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.15.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages