Feed aggregator

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

Drupal Contrib Security Announcements - Wed, 05/15/2013 - 18:10
Description

This module will allow you to add Time-based One-time Password Algorithm (also called "Two Step Authentication" or "Multi-Factor Authentication") support to user logins. It works with Google's Authenticator app system and support most (if not all) OATH based HOTP/TOTP systems.

Accidental removal of account configuration.

In certain scenarios, Google Authenticator login incorrectly determines the user's account name. The change in account name could cause the two-factor authentication for existing accounts to be lost, allowing users to log in using just username and password.

This vulnerability is mitigated by the fact while Google Authenticator login's additional verification is by-passed, a username and password are still required to log in.

One Time Password (OTP) replay

If an attacker can intercept a login request with a username, password and OTP, an attacker could use this same data again to login to the website.

This vulnerability is mitigated by the fact that an attacker who can intercept a login request with this level of detail can usually also intercept the ongoing session identifying token.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Google Authenticator login 6.x-1.x versions prior to 6.x-1.2.
  • Google Authenticator login 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Google Authenticator login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 05/01/2013 - 15:09
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-046
  • Project: Filebrowser (third-party module)
  • Version: 6.x
  • Date: 2013-May-1
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors.

The module doesn't sufficiently sanitize user input when presenting lists of files.

Because the vulnerability is Reflected Cross Site Scripting, the only mitigating factor is that an authenticated user must be tricked into visiting a specially crafted malicious url.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Filebrowser 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Filebrowser module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Filebrowser project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass

Drupal Contrib Security Announcements - Wed, 04/17/2013 - 16:49
Description

Autocomplete Widgets module adds autocomplete widgets for Text and Number fields.

The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Autocomplete Widgets 6.x-1.x versions prior to 6.x-1.4.
  • Autocomplete Widgets 7.x-1.x versions prior to 7.x-1.0-rc1.

Drupal core is not affected. If you do not use the contributed Autocomplete Widgets for Text and Number Fields module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Autocomplete Widgets for Text and Number Fields project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 04/17/2013 - 16:06
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-044
  • Project: elFinder file manager (third-party module)
  • Version: 6.x, 7.x
  • Date: 2013-April-17
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Description

The elfinder module provides an AJAX-based file manager based on the elFinder javascript library.

The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery (CSRF) vulnerability. This would enable an attacker to create, modify, or delete files on the server.

There are no mitigating factors.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • elfinder 6.x-0.x versions prior to 6.x-0.8.
  • elfinder 7.x-0.x versions prior to 7.x-0.8.

Drupal core is not affected. If you do not use the contributed elFinder file manager module, there is nothing you need to do.

Solution

Install the latest version:

Also see the elFinder file manager project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 04/17/2013 - 14:27
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-043
  • Project: MP3 Player (third-party module)
  • Version: 6.x
  • Date: 2013-April-17
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables you to easily enable a Flash MP3 Player on a CCK FileField.
The module doesn't sufficiently filter user-supplied text from mp3 filenames.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield with the MP3 player set as the display widget.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All MP3 Player versions.

Drupal core is not affected. If you do not use the contributed MP3 Player module, there is nothing you need to do.

Solution

Disable the module:

  • If you use the MP3 Player module for Drupal 6.x you should disable the module.

Also see the MP3 Player project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service

Drupal Contrib Security Announcements - Wed, 04/10/2013 - 15:52
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-042
  • Project: RESTful Web Services (third-party module)
  • Version: 7.x
  • Date: 2013-April-10
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service
Description

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF.

The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing a denial of service vulnerability.

This vulnerability is mitigated by the fact that page caching must be enabled and the anonymous user role must be assigned a RESTWS permission, for example "access resource node".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTWS 7.x-1.x versions prior to 7.x-1.3.
  • RESTWS 7.x-2.x versions prior to 7.x-2.0-alpha5.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful Web Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass

Drupal Contrib Security Announcements - Wed, 04/03/2013 - 18:04
Description

This CTools module provides a set of APIs and tools to improve the developer experience.

The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they should not be able to view.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.3

Also see the Chaos tool suite (ctools) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass

Drupal Contrib Security Announcements - Wed, 04/03/2013 - 17:01
Description

This module integrates the Skrill online payment services with Drupal Commerce.

When processing Instant payment notifications (IPN), the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forged notifications to be accepted as valid.

The vulnerability is mitigated by the fact that it only affects the "Moneybookers enterprise" payment method.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

The "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module in all versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Commerce Skrill (Formerly Moneybookers) module, there is nothing you need to do.

Solution

Install the latest version. The "Moneybookers enterprise" payment method now requires the use of the hash security option.

  • Upgrade to Commerce Skrill 7.x-1.2
  • Go to the backoffice of Skrill and enable the securityHash verification following the Administration > Processing > Processing Settings section.
  • Get the security token, and paste it in the Secret key field of the payment method configuration form.

Also see the Commerce Skrill (Formerly Moneybookers) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-039 - Commons Wikis - Access bypass & Privilege escalation

Drupal Contrib Security Announcements - Wed, 03/27/2013 - 20:34
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-039
  • Project: Commons Wikis (third-party module)
  • Version: 7.x
  • Date: 2013-March-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Multiple vulnerabilities
Description

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Wikis module is used by the distribution to provide specific wiki functionality.

Versions 3.0 and earlier of the Commons Wikis module is vulnerable to an access bypass and privilege escalation vulnerability that allows anonymous users to post content into groups.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commons and Commons Wikis versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Commons Wikis module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use Commons Wikis module upgrade to Commons Wikis 7.x-3.1 or install the latest version of the Drupal Commons distribution (7.x-3.1) which will include the fix for Commons Wikis

Also see the Commons Wikis project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-038 - Commons Groups - Access bypass & Privilege escalation

Drupal Contrib Security Announcements - Wed, 03/27/2013 - 20:33
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-038
  • Project: Commons Groups (third-party module)
  • Version: 7.x
  • Date: 2013-March-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Multiple vulnerabilities
Description

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations.

Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass and privilege escalation vulnerability that allows anonymous users to post content into groups.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commons distribution and Commons Groups versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Commons Groups module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use Commons Groups module upgrade to Commons Groups 7.x-3.1 or install the latest version of the Drupal Commons distribution (7.x-3.1) which will include the fix for Commons Groups

Also see the Commons Groups project page.

Reported by Fixed by

Commons project maintainers:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-037 - Rules - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/27/2013 - 17:46
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-037
  • Project: Rules (third-party module)
  • Version: 7.x
  • Date: 2013-March-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Rules module allows site administrators to define conditionally executed actions based on occurring events (known as reactive or ECA rules). It's a replacement with more features for the trigger module in core.

The module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize rule tags before display.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer rules".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Rules 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Rules module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Rules module for Drupal 7.x, upgrade to Rules 7.x-2.3

Also see the Rules project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/27/2013 - 17:44
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-036
  • Project: Zero Point (third-party module)
  • Version: 7.x
  • Date: 2013-March-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting (XSS) vulnerability in URLs. There are no mitigating factors.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • zeropoint 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Zero Point module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Zero Point project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/20/2013 - 20:20
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-035
  • Project: Views (third-party module)
  • Version: 7.x
  • Date: 2013-March-20
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer vocabularies and terms" or other administer-related permissions from contributed modules that integrate with Views.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions prior to 7.x-3.6.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.6

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/13/2013 - 21:28
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-034
  • Project: Node Parameter Control (third-party module)
  • Version: 6.x
  • Date: 2013-Mar-13
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to limit the visibility of the fields on the node edit form.
The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All 6.x-1.x versions

Drupal core is not affected. If you do not use the contributed Node Parameter Control module, there is nothing you need to do.

Solution

Uninstall the module. No patched version is available.

Also see the Node Parameter Control project page.

Reported by Fixed by

The module maintainer opted to mark the module as unsupported.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-033 - Simple Corporate theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/27/2013 - 20:58
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-033
  • Project: Simple Corporate (third-party theme)
  • Version: 7.x
  • Date: 2013-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Simple Corporate versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Simple Corporate theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Simple Corporate project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-032 - Company theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/27/2013 - 20:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-032
  • Project: Company theme (third-party theme)
  • Version: 7.x
  • Date: 2013-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Company Theme versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Company theme theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Company theme project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/27/2013 - 20:56
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-031
  • Project: Premium Responsive (third-party theme)
  • Version: 7.x
  • Date: 2013-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Premium Responsive versions prior to 7.x-1.6

Drupal core is not affected. If you do not use the contributed Premium Responsive theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Premium Responsive project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-030 - Clean Theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/27/2013 - 20:55
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-030
  • Project: Clean Theme (third-party theme)
  • Version: 7.x
  • Date: 2013-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Clean Theme versions prior to 7.x-1.3

Drupal core is not affected. If you do not use the contributed Clean Theme theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Clean Theme project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/27/2013 - 20:53
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-029
  • Project: Business Theme (third-party theme)
  • Version: 7.x
  • Date: 2013-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This third-party contributed theme change Drupal's interface.

The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Business theme versions prior to 7.x-1.8

Drupal core is not affected. If you do not use the contributed Business Theme theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the Business Theme project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

SA-CONTRIB-2013-028 - Responsive Blog Theme - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/27/2013 - 20:53
  • Advisory ID: DRUPAL-SA-CONTRIB-2013-028
  • Project: Responsive Blog (third-party theme)
  • Version: 7.x
  • Date: 2013-February-27
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Responsive Blog Theme is a light weight Drupal 7 theme with a modern look and feel.

The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Responsive Blog Theme 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Responsive Blog theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Responsive Blog Theme for Drupal 7.x, upgrade to Responsive Blog Theme 7.x-1.6

Also see the Responsive Blog project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Security posts

Pages

The Drupal Security Report is licensed under a Creative Commons Attribution No Derivatives license. For attribution you must link to this site. Why?

cc-by-nd