Skip directly to content

Feed aggregator

SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 20:34
Description

The Form Builder module enables users to build entire Form API structures through a graphical, AJAX-like interface.

The module doesn't sufficiently sanitize form titles in some cases.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create forms in another module that depends on Form Builder, such as Survey Builder, Webform, or others.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Form Builder 7.x-1.x versions prior to 7.x-1.6.
  • Form Builder 6.x-1.x versions prior to 6.x-1.6.

Drupal core is not affected. If you do not use the contributed Form Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Form Builder project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Matt Vance provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 20:11
Description

This project allows you to create various types of tournaments (as nodes) and associated teams, tournaments, and matches.

There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user.

It is possible to create nodes or entities containing XSS or usernames could be imported with XSS in the strings or created via an add-on module like LDAP or similar.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "Create new teams" or "Tournament: Create new content" or "Match: Create new content" or the ability to create users with an XSS payload in the usernames (Drupal core's input validation prevents XSS payloads in usernames).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Tournament 7.x-1.x any version

Drupal core is not affected. If you do not use the contributed Tournament module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Tournament project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 19:54
Description

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users

See also: https://www.drupal.org/SA-CORE-2014-006

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1.

Drupal core is not affected. If you do not use the contributed Secure Password Hashes module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Secure Password Hashes project page.

Reported by Fixed by
  • Peter Wolanin the module maintainer and Drupal Security Team member
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Drupal Core Security Announcements - Wed, 11/19/2014 - 18:21
Description Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.34.
  • Drupal core 7.x versions prior to 7.34.
Solution

Install the latest version:

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113

Also see the Drupal core project page.

Reported by

Session hijacking:

Denial of service:

Fixed by

Session hijacking:

Denial of service:

Coordinated by
  • The Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 18:06
Description

Node Field module allows you to add custom extra fields to single Drupal nodes.

The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Node Field 7.x-2.x versions prior to 7.x-2.45.

Drupal core is not affected. If you do not use the contributed Node Field module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Node Field project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass

Drupal Contrib Security Announcements - Wed, 11/19/2014 - 17:56
Description

Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password.

The module did not sufficiently protect variations on the protected path.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Protected Pages 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Protected Pages module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Protected Pages project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 11/12/2014 - 15:14
Description

The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites.

The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that the person creating the content containing the link must have a role that allows use of an unsafe text format (e.g. "Full HTML"), or the Freelinking filter must be placed after all text sanitizion filters (e.g. "Limit allowed HTML tags") in an otherwise safe text format (e.g. "Filtered HTML").

Please note that this vulnerability also existed the freelinking_nodetitle.inc in versions prior to 6.x-3.4 and 7.x-3.4, but this was patched in releases 6.x-3.4 and 7.x-3.4.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Freelinking 6.x-x.x versions prior to 6.x-3.5.
  • Freelinking 7.x-x.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed Freelinking module,
there is nothing you need to do.

Solution

Install the latest version:

Please note that the plugin freelinking_path.inc contains multible vulnerabilities and was removed in the releases 6.x-3.3 and 7.x-3.3. You should check to see if this file is still present, and if it is: Remove it from the plugin sub-directory before you install the latest version.

Also see the Freelinking project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

Drupal Contrib Security Announcements - Wed, 11/12/2014 - 14:50
Description

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles.

The module doesn't sufficiently check that disabled component values are not modified upon submission of the form.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Webform Component Roles 6.x-1.x versions prior to 6.x-1.8.
  • Webform Component Roles 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Webform Component Roles module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Component Roles project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 11/12/2014 - 14:37
Description

The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled.

The module doesn't sufficiently filter the help text which could lead to a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer scheduler".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Scheduler 6.x-1.x versions prior to 6.x-1.10.
  • Scheduler 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Scheduler module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Scheduler project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass

Drupal Contrib Security Announcements - Wed, 10/29/2014 - 19:55
Description

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols.

Access Bypass

The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing a specially modified payment POST transaction to Authorize.Net to be applied to a previous order still in the checkout state. This could allow the previous transaction to be marked as paid despite the fact that the payment applied was smaller than its outstanding balance.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Commerce Authorize.Net SIM/DPM Payment Methods 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-105 - OG Menu - Access Bypass

Drupal Contrib Security Announcements - Wed, 10/29/2014 - 16:50
Description

OG Menu allows using menus within Organic Groups.

The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • OG Menu 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed OG Menu module,
there is nothing you need to do.

Solution

Install the latest version of the 7.x-2.x branch:

The OG Menu 7.x-3.x branch is not affected.

Also see the OG Menu project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-104 - Addressfield Tokens - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 10/29/2014 - 16:37
Description

The Addressfield Tokens module extends the Addressfield module by adding full token support.

The module doesn't sufficiently filter malicious user input, opening a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create content" or "edit content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Addressfield Tokens 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Addressfield Tokens module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Addressfield Tokens project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 10/29/2014 - 16:03
Description

This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password.

The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "configure passwordless settings".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Passwordless 7.x-1.x versions up to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Passwordless module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Passwordless project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-102 - Document - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 10/22/2014 - 15:15
Description

Document module is a basic Document Management System for Drupal.

Cross Site Scripting (XSS)

The module wasn't sanitizing user input sufficiently in a few use cases.

This vulnerability is mitigated by the the fact that a user must have permissions to add or edit documents to be able to exploit the vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Document 6.x-1.11 versions prior to 6.x-1.11.
  • Document 7.x-1.20 versions prior to 7.x-1.20.

Drupal core is not affected. If you do not use the contributed Document module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Document project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery

Drupal Contrib Security Announcements - Wed, 10/22/2014 - 15:13
Description

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

Cross Site Request Forgery (CSRF)

The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart 7.x-3.x versions prior to 7.x-3.8.
  • Ubercart 6.x-2.x versions prior to 6.x-2.14.

Drupal core is not affected. If you do not use the contributed Ubercart module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure

Drupal Contrib Security Announcements - Wed, 10/22/2014 - 15:11
Description

This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.

Information Disclosure

The module doesn't sufficiently sanitize log data, allowing usernames and passwords to get included in its logs.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer bad behavior".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • badbehavior 6.x-2.x versions prior to 6.x-2.2216.
  • badbehavior 7.x-2.x versions prior to 7.x-2.2216.

Drupal core is not affected. If you do not use the contributed Bad Behavior module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Bad Behavior project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass

Drupal Contrib Security Announcements - Wed, 10/15/2014 - 16:56
Description

The oa_core module contains the base access control mechanism for the Open Atrium distribution (OA2). In OA2, file attachments are given the same access permission as the node they are attached to.

The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows anonymous users to view the file that is still attached to the previous revision.

This vulnerability is mitigated by the fact that it requires using Revisions and removing files attached to revisions. If revisions are disabled or files are not removed from nodes then access works as designed.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • oa_core 7.x-2.x versions prior to 7.x-2.22.

Drupal core is not affected. If you do not use the contributed Open Atrium module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CORE-2014-005 - Drupal core - SQL injection

Drupal Core Security Announcements - Wed, 10/15/2014 - 16:02
Description

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued

  • CVE-2014-3704
Versions affected
  • Drupal core 7.x versions prior to 7.32.
Solution

Install the latest version:

If you are unable to update to Drupal 7.32 you can apply this patch to Drupal's database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Also see the Drupal core project page.

Reported by
  • Stefan Horst
Fixed by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 10/15/2014 - 12:36
Description

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Both modules define a function, called via an ajax request, that filters text before passing it into the editor, to prevent certain cross site scripting attacks on content edits (that the JavaScript library might not handle). Because the function did not check a CSRF token for anonymous users, it was possible to perform reflected XSS against anonymous users via CSRF.

The problem existed in CKEditor/FCKeditor modules for Drupal, not in JavaScript libraries with the same names.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • CKEditor 7.x-1.x versions prior to 7.x-1.15.
  • CKEditor 6.x-1.x versions prior to 6.x-1.14.
  • FCKeditor 6.x-2.x versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed CKEditor - WYSIWYG HTML editor module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CKEditor - WYSIWYG HTML editor project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

Drupal Contrib Security Announcements - Wed, 10/08/2014 - 13:40
Description

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes.

This module enables you to inadvertently allow an author of a node view/edit/delete the node in question (who may not have access). The module over-eagerly grants read/write/delete access to all authors of nodes.

In addition, a node that is unpublished, but is granted node specific permissions will obey the node specific permissions and not the unpublished content permission for the role.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Nodeaccess 6.x-1.x versions prior to 6.x-1.5.
  • Nodeaccess 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Nodeaccess module,
there is nothing you need to do.

Solution

Ensure that you are using the latest version of the Nodeaccess module when installing. For existing nodes, please ensure that the author permissions are correct.

Also see the Nodeaccess project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages