Skip directly to content

Feed aggregator

Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-087

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:24
Description

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit Ubercart products or webforms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Ubercart Webform Checkout Pane module

Drupal core is not affected. If you do not use the contributed Ubercart Webform Checkout Pane module, there is nothing you need to do.

Solution

If you use the Ubercart Webform Checkout Pane module you should uninstall it.

Also see the Ubercart Webform Checkout Pane project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Decisions - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-086

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:20
Description

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools.

The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Decisions module

Drupal core is not affected. If you do not use the contributed Decisions module, there is nothing you need to do.

Solution

If you use the Decisions module you should uninstall it.

Also see the Decisions project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Invoice - Moderately Critical - Multiple vulnerabilities - Unsupported - SA-CONTRIB-2015-085

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:14
Description

Invoice module allows you to create invoices in Drupal.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create, delete and alter invoices by getting their browser to make a request to a specially-crafted URL.

The XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own invoices" and be able to create/edit nodes of the "Invoice" content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Invoice module

Drupal core is not affected. If you do not use the contributed Invoice module, there is nothing you need to do.

Solution

If you use the Invoice module you should uninstall it.

Also see the Invoice project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:08
Description

Linear Case module allows you to organize Closed Question documents in case studies.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to edit/create Linear Case nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Linear Case 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Linear Case module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Linear Case project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:03
Description

Webform Multiple File Upload module enables you to upload multiple files at once in webforms.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform Multiple File Upload 6.x-1.x versions prior to 6.x-1.3.
  • Webform Multiple File Upload 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Multiple File Upload project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 15:56
Description

This module enables you to add navigation to your webpages colloquially referred to as "breadcrumbs".

The module doesn't sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Crumbs".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Crumbs 7.x-2.x versions prior to 7.x-2.3

Drupal core is not affected. If you do not use the contributed Crumbs module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Crumbs module for Drupal 7.x, upgrade to Crumbs 7.x-2.3

Also see the Crumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 15:50
Description

The Petition module enables you to create petitions which users may sign.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create petition".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Petition 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Petition module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Petition project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/18/2015 - 19:09
Description

Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Profile2 Privacy Levels".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Profile2 Privacy 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Profile2 Privacy module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Profile2 Privacy project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Matt Vance provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

Drupal Core Security Announcements - Wed, 03/18/2015 - 18:04
Description Access bypass (Password reset URLs - Drupal 6 and 7)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password.

In Drupal 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In Drupal 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in the database being empty for at least one user account.

Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value.

Open redirect (Several vectors including the "destination" URL parameter - Drupal 6 and 7)

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.

This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Drupal 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some Drupal 6 confirmation forms are vulnerable too.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.35
  • Drupal core 7.x versions prior to 7.35
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Fixed by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 03/18/2015 - 16:51
Description

This module provides a set of APIs and tools to improve the developer experience.

Access bypass in autocomplete (Drupal 7 only)

Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID.

In CTools version 1.5, additional checks were created to defend against leaking titles for entities that the user doesn't have access to. However, certain edge cases were found to leak this private data.

This vulnerability is mitigated by the fact that you must perform the autocomplete search on custom entities that don't include an access query tag, or you must know the ID of the entity whose title you are trying to get.

Open redirect in confirmation pages (Drupal 6 and 7)

Also, CTools did not sanitize user provided URLs when processing confirmation delete pages, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that a module using CTools must allow for users to insert a malicious external URL that is sent to the confirmation page.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CTools 6.x-1.x versions prior to 6.x-1.12.
  • CTools 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Chaos tool suite (ctools) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/18/2015 - 16:47
Description

Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal.

The module doesn't sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/update nodes with an attached webform and (in 7.x-4.x releases) have the permission "edit webform components".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 6.x-3.x versions prior to 6.x-3.23
  • Webform 7.x-3.x versions prior to 7.x-3.23
  • Webform 7.x-4.x versions prior to 7.x-4.5

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 17:38
Description

OG Tabs modules provides a secondary menu with links to nodes of the same OG group.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes posted in an Organic Groups group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OG Tabs 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed OG tabs module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OG tabs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 16:53
Description

Image Title module allows you to upload an image and use it as a node title.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must allowed to create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Image Title 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Image Title module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Image Title project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-075 - Perfecto - Open Redirect

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 16:51
Description

The Perfecto module allows themers accurately calibrate the CSS by floating compositions over the page.

The module doesn't sufficiently check user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Perfecto 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Perfecto module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Perfecto project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 16:47
Description

Site Documentation module enables you to display detailed configuration information.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Site Documentation 6.x-1.x versions prior to 6.x-1.5.

Drupal core is not affected. If you do not use the contributed Site Documentation module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Site Documentation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 18:12
Description

The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have the "Administer Trick Question" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Trick Question 6.x-1.x versions prior to 6.x-1.5
  • Trick Question 7.x-1.x versions prior to 7.x-1.5

Drupal core is not affected. If you do not use the contributed Trick Question module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Trick Question project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Matt Vance provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 17:57
Description

This module enables you to use Ogone (Ingenico) as a payment method for Drupal Commerce.

Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though no payment was processed.

The vulnerability is mitigated by the fact that the balance to be paid on affected orders remains the full amount, and no payment transaction is linked to the order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Ogone 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Commerce Ogone module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Ogone project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 17:30
Description

This module enables you to add a block to allow visitors to subscribe to a site's newsletter.

The module failed to sanitize some block content, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Simple Subscription 6.x-1.x versions prior to 6.x-1.1.
  • Simple Subscription 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Simple Subscription module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Simple Subscription module for Drupal 6.x, upgrade to Simple Subscription 6.x-1.1
  • If you use the Simple Subscription module in branch 7.x-1.x for Drupal 7.x, upgrade to Simple Subscription 7.x-1.1
  • If you use the Simple Subscription module in branch 7.x-2.x for Drupal 7.x, there is nothing to do, this branch is secure

Also see the Simple Subscription project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Michael Hess of the Drupal Security Team
  • Matt Vance provisional member of the Drupal Security Team
  • Aaron Ott provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:49
Description

The Mover modules provide the ability to move content between Drupal sites.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mover 6.x-1.0

Drupal core is not affected. If you do not use the contributed Mover module, there is nothing you need to do.

Solution

If you use the Mover module you should uninstall it.

Also see the Mover project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:46
Description

Taxonomy Accordion module creates a block for each taxonomy vocabularies.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user allowed to create/edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Taxonomy Accordion module

Drupal core is not affected. If you do not use the contributed Taxonomy Accordion module, there is nothing you need to do.

Solution

If you use the Taxonomy Accordion module you should uninstall it.

Also see the Taxonomy Accordion project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages