Skip directly to content

Feed aggregator

Aegir - Moderately Critical - Code Execution Prevention - SA-CONTRIB-2015-113

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 19:02
Description

The Aegir Hosting System enables you to deploy and manage Drupal sites.

When writing Apache vhost files for hosted sites on a common platform (multi-site), Aegir doesn't block execution of code uploaded to another site on the same platform.

This vulnerability is mitigated by the fact that an attacker must already have compromised another site, on the same multi-site install, sufficiently to upload executable code to its files directory.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Aegir Hosting System 6.x-2.x versions prior to 6.x-2.4.
  • Aegir Hosting System 7.x-3.x versions prior to 7.x-3.0-beta2.

Drupal core is not affected. If you do not use the contributed Hostmaster (Aegir) distribution,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Aegir Hosting System for Drupal 6.x, upgrade to Aegir 6.x-2.4
  • If you use the Aegir Hosting System for Drupal 7.x, upgrade to Aegir 7.x-3.0-beta2

After installation you need to run a verify task on all hosted sites. The easiest method is to use the Views Bulk Operations on the hosting/sites page.

Also see the Hostmaster (Aegir) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Navigate - Moderately Critical - Multiple Vulnerabilities - Unsupported - SA-CONTRIB-2015-112

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 17:37
Description

Navigate is a customizable navigation tool for Drupal.

Access Bypass

In certain situations the module does not adequately check content permissions, allowing a malicious user with "navigate view" permission to modify custom widgets and create new widget database records.

Cross-site scripting

The module also doesn't sufficiently filter text, creating an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "navigate view", "navigate_custom use" and either "navigate customize" or "navigate administer".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

All versions of Navigate module.

Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.

Solution

If you use the Navigate module you should uninstall it.

Also see the Navigate project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 17:24
Description

The Shipwire API module handles communication with the Shipwire shipping service.

The Shipwire module doesn't check view permission for the shipments overview page when installed (admin/shipwire/shipments). Limited non-public information is displayed on the page.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Shipwire 7.x-1.x versions prior to 7.x-1.03.

Drupal core is not affected. If you do not use the contributed Shipwire module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Shipwire module for Drupal 7.x, please upgrade to Shipwire 7.x-1.03 or greater.
  • Check the settings have been updated by navigating to Structure -> Views -> Shipwire shipment. Under 'Page settings' make sure that 'Access' is set to 'Permission' -> 'View all Shipwire Shipments'.

Also see the Shipwire project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 16:26
Description

The Web Links module provides a comprehensive way to manage url links to other websites.

The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit weblink nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Web Links 6.x-2.x versions prior to 6.x-2.6
  • Web Links 7.x-1.x versions prior to 7.x-1.0

Drupal core is not affected. If you do not use the contributed Web Links module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Web Links project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109

Drupal Contrib Security Announcements - Wed, 05/20/2015 - 16:15
Description

This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file.

The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of pass2pdf module

Drupal core is not affected. If you do not use the contributed pass2pdf module,
there is nothing you need to do.

Solution

If you use the pass2pdf module you should uninstall it.

Also see the pass2pdf project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Mobile sliding menu - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

Drupal Contrib Security Announcements - Wed, 05/06/2015 - 18:45
Description

The mobile sliding menu module integrates the mmenu jQuery plugin for creating slick, app look-alike sliding menus for your mobile website.

The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer menu".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Mobile sliding menu 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed Mobile sliding menu module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Mobile sliding menu project page.

Reported by Fixed by Coordinated by
  • Aaron Ott provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Webform Matrix Component - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107

Drupal Contrib Security Announcements - Wed, 05/06/2015 - 18:42
Description

The Webform Matrix Component module is an extension of the Webform module that adds Matrix and Table components.

The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit webform nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform Matrix Component 7.x-4.x versions prior to 7.x-4.13.

Drupal core is not affected. If you do not use the contributed Webform Matrix Component module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Matrix Component project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106

Drupal Contrib Security Announcements - Wed, 05/06/2015 - 17:20
Description

This module enables you to display an entityform as a block.

The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Entityform Block 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Entityform block module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Entityform block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105

Drupal Contrib Security Announcements - Wed, 05/06/2015 - 17:18
Description

Video Consultation module integrates VideoWhisper Video Consultation software with Drupal.

The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Video Consultation module.

Drupal core is not affected. If you do not use the contributed Video Consultation module, there is nothing you need to do.

Solution

If you use the Video Consultation module you should uninstall it.

Also see the Video Consultation project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Dynamic display block - Less Critical - Access bypass - Unsupported - SA-CONTRIB-2015-104

Drupal Contrib Security Announcements - Wed, 05/06/2015 - 17:09
Description

This module enables you to showcase featured content at a prominent place on the front page of the site in an attractive way.

The module doesn't sufficiently protect access to content a user has no access to. In certain scenarios a user with the "administer ddblock" permission can see titles of content for which this user has no access.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer ddblock" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Dynamic display block module.

Drupal core is not affected. If you do not use the contributed Dynamic display block module, there is nothing you need to do.

Solution

If you use the Dynamic display block module you should uninstall it.

Also see the Dynamic display block project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Views - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-103

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 16:55
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

Access bypass due cache inconsistency

Due to an issue in the caching mechanism of Views it's possible that configured filters loose their effect.
This can lead to exposure of content that otherwise would be hidden from visitors.
This vulnerability is mitigated by the fact that it can't be exploited directly but occurs when certain prerequisites meet.
Systems that use in-memory cache backends like redis / memcache are more likely to be affected by this issue. This is due the common strategy used to free cache space if the configured memory limit of the cache is reached.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions from 7.x-3.5 to 7.x-3.11.

Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.11

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Smart Trim- Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 16:50
Description

This module implements a new field formatter for textfields (text, text_long, and text_with_summary, if you want to get technical) that improves upon the "Summary or Trimmed" formatter built into Drupal 7.

The module doesn't sufficiently filter user input via the field settings form.

This vulnerability is mitigated by the fact that only administrative users who can administer field types can exploit it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Smart Trim 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Smart Trim module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Smart Trim project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 15:11
Description

The MailChimp module allows you to create and manage mailing lists via MailChimp's API.

The MailChimp module does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer mailchimp" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • MailChimp 7.x-3.x versions prior to 7.x-3.3.
  • MailChimp 7.x-2.x all versions.
  • MailChimp 7.x-1.x all versions.

Drupal core is not affected. If you do not use the contributed MailChimp module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the MailChimp project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 15:07
Description

This module enables you to integrate your Drupal site with TechSmith Relay software.
The module doesn't sufficiently sanitize user input under the meta access tab.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • camtasia_relay 6.x-2.x versions prior to 6.x-3.2.
  • camtasia_relay 7.x-2.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Camtasia Relay module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Camtasia Relay project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Node Template - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-099

Drupal Contrib Security Announcements - Wed, 04/22/2015 - 15:18
Description

Node Template module enables you to define any node as a node template and it can be duplicated later.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Node Template module.

Drupal core is not affected. If you do not use the contributed Node Template module, there is nothing you need to do.

Solution

If you use the Node Template module you should uninstall it.

Also see the Node Template project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Keyword Research - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-098

Drupal Contrib Security Announcements - Wed, 04/22/2015 - 15:12
Description

Keyword Research module enables you to tag and prioritize keywords on a site and node level basis.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user with "kwresearch admin site keywords" permission to create, delete and set priorities to keywords by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Keyword Research 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Keyword Research module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Keyword Research project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097

Drupal Contrib Security Announcements - Wed, 04/22/2015 - 15:04
Description

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

The module may store user passwords in plain text.

This vulnerability is mitigated by the fact that the option "Ask user for a password when registering" must be enabled. The information is disclosed to anyone with access to the database, "administer users" or "administer site configuration" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Drupal Contrib Security Announcements - Wed, 04/15/2015 - 18:18
Description

Services module enables you to expose an API to third party systems.

Access bypass (file upload and execution)

The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File > Create" resource must be enabled and an attacker must have a role with the Services "Save file information" permission.

Private fields information displayed

Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Services 7.x-3.x versions prior to 7.x-3.12.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version of Services: Services 7.x-3.12.

As a reminder, Services for Drupal 6 is no longer maintained.

Also see the Services project page.

Reported by Access Bypass/file upload Private fields information displayed Fixed by Access Bypass/file upload Private fields information displayed Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095

Drupal Contrib Security Announcements - Wed, 04/15/2015 - 14:30
Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as administer taxonomy.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Display Suite version 7.x-2.7. Versions prior to Display Suite 7.x-2.7 are not vulnerable.

Drupal core is not affected. If you do not use the contributed Display Suite module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Display Suite project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

Drupal Contrib Security Announcements - Wed, 04/08/2015 - 15:53
Description

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission.

The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to delete reports by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CiviCRM private report 6.x-1.x versions prior to 6.x-1.2.
  • CiviCRM private report 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CiviCRM private report module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CiviCRM private report project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages