Skip directly to content

Feed aggregator

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Drupal Contrib Security Announcements - Wed, 01/27/2016 - 16:29
Description

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space.

This issue only affects sites that use private sub-spaces.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium 7.x-2.x versions prior to 7.x-2.53.

Drupal core is not affected. If you do not use the contributed Open Atrium module, there is nothing you need to do.

Solution
  • Upgrade to the latest version, 7.x-2.53

If you are not able to fully upgrade to the latest version, ensure private sub-spaces are directly marked as private and are not seen publicly in a private parent space.

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002

Drupal Contrib Security Announcements - Wed, 01/13/2016 - 20:21
Description

The Redhen set of modules allows you to build a CRM features in a Drupal site.

When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, these modules do not properly filter certain data before display.

This vulnerability is mitigated by the fact that an attacker must have an authenticated user account with access to edit a contact, administer engagement scores, or administer taxonomies.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Redhen 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed RedHen CRM module, there is nothing you need to do.

Solution

Install the latest version:

Workaround (if you are unable to update the module immediately):

  • In the display settings for your Redhen Contact Types (admin/structure/redhen/contact_types), hide "name" on all display modes.
  • Restrict access to "Administer Engagement Scores" and "Administer Taxonomies" to trusted users.

Also see the RedHen CRM project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Field Group - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-001

Drupal Contrib Security Announcements - Wed, 01/06/2016 - 17:01
Description

Field Group module enables you to group fields on entity forms and entity displays.

When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as Administer vocabularies and terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field Group 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Field Group module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field Group project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175

Drupal Contrib Security Announcements - Wed, 12/16/2015 - 19:26
Description

This module enables you to add custom classes to blocks.
The module doesn't sufficiently scrub class names written by a malicious block class administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer block classes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • block_class 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Block Class project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174

Drupal Contrib Security Announcements - Wed, 12/16/2015 - 16:39
Description

Open Atrium distribution enables you to create an intranet.

Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
  • Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66

Drupal core is not affected. If you do not use the contributed Open Atrium module, there is nothing you need to do.

Solution

If you use the Open Atrium distribution for Drupal 7.x:

If you use the Open Atrium Core module for Drupal 7.x:

If you are unable to update to Open Atrium 2.51 or oa_core 2.66, you can apply this patch to the oa_core module to fix the vulnerability until such time as you are able to completely upgrade to Open Atrium 2.51 or oa_core 2.66.

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173

Drupal Contrib Security Announcements - Wed, 12/16/2015 - 15:44
Description

Select2 Field Widget module enables you to use the select2 library for field widgets.

The module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Select2 Field Widget 7.x-2.x versions prior to 7.x-2.9.

Drupal core is not affected. If you do not use the contributed Select2 Field Widget module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Select2 Field Widget project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172

Drupal Contrib Security Announcements - Wed, 12/16/2015 - 15:27
Description

This module enables you to create key|value pairs for use in list fields, webforms etc.

The module includes an import page that runs eval() on an exported code block (ctools), but the permission for the page does not warn about security concerns of importing raw php code like this (trusted permission).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "import value sets".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Values 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Values module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the values module for Drupal 7.x, upgrade to Values 7.x-1.2

Also see the Values project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171

Drupal Contrib Security Announcements - Wed, 12/02/2015 - 20:57
Description

This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG (normally the body of a node).

There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and allow any (including anonymous) users to see this rendered node embedded into the main node.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Token Insert Entity 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Token Insert Entity module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Token Insert Entity project page.

Reported by
  • killes of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Apache Solr Search - Moderately Critical - Access Bypass - SA-CONTRIB-2015-170

Drupal Contrib Security Announcements - Wed, 12/02/2015 - 19:27
Description

This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance.

The module doesn't correctly check access when attempting to delete non-default search environments.

This vulnerability is mitigated by the fact that the site must have a non-default environment configured and an attacker must discover the ID of the environment.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Apache Solr Search 6.x-3.x versions prior to 6.x-3.1.
  • Apache Solr Search 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Apache Solr Search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Apache Solr Search project page.

Reported by Fixed by Coordinated by
  • Peter Wolanin of the Drupal Security Team, and a module maintainer
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Chat Room - Moderately Critical - Access Bypass - SA-CONTRIB-2015-169

Drupal Contrib Security Announcements - Wed, 12/02/2015 - 17:01
Description

Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client.

The module doesn't sufficiently validate access before setting up the websocket. As a result, users may receive messages from chat rooms they don't have access to via the websocket.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Chat Room 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Chat Room module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Chat Room project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Mollom - Critical - Access bypass - SA-CONTRIB-2015-168

Drupal Contrib Security Announcements - Wed, 12/02/2015 - 16:17
Description

The Mollom module allows users to protect their website from spam. As part of the spam protection, Mollom enables the website administrator to create a blacklist. When content is submitted that matches terms on the black list it will be automatically marked as spam and rejected per the site configuration.

The module doesn't sufficiently check for access when accessing or modifying the blacklist for the site. This enables a potential attacker to add, update, or remove their own terms to a site-wide blacklist. The potential exists for an attacker to remove existing blacklist terms which could allow their content to be accepted onto the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mollom 6.x-2.x versions between 6.x-2.7 through 6.x-2.14.

This does not affect the modules for Drupal 7 or Drupal 8.

Drupal core is not affected. If you do not use the contributed Mollom module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Mollom project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

RESTful - Less Critical - Access bypass - SA-CONTRIB-2015-167

Drupal Contrib Security Announcements - Wed, 12/02/2015 - 16:15
Description

RESTful module allows Drupal to be operated via RESTful HTTP requests, using best practices for security, performance, and usability.

The module doesn't sufficiently validate some user input. Specific code could be run arbitrarily by an attacker in certain circumstances.

This vulnerability is mitigated by the fact that only sites with a custom implementation of methods from a specific class are affected. Also, that custom code would need to affect data or impact the site in some way.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the RESTful 7.x-1.x module for Drupal 7.x, upgrade to RESTful 7.x-1.6

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166

Drupal Contrib Security Announcements - Wed, 11/18/2015 - 20:10
Description

This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider.

The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could theoretically leak the key for known plaintexts. This vulnerability is mitigated by the fact that an attacker would need to have access to the encrypted data which is generally not possible without a breach of the database.

The default key provider uses the Drupal private key, which means that it could potentially be leaked which puts other elements of the site at risk. This vulnerability is mitigated by requiring the default combination of encryption method and key provider for the Drupal private key to be potentially leaked. Users of the module are likely to employ a key of their own creation, rather than use the Drupal private key.

Another encryption method included with the module uses a cipher that can leak structural information about the plaintext. This vulnerability is mitigated by the fact that it would only affect encryptions of large quantities of data, such as files and data of shorter lengths would not be affected.

The default key created by the module is generated by a MD5 hash, which is not as strong as using truly random bytes of data.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Encrypt 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Encrypt module, there is nothing you need to do.

Solution

Install the latest version:

Once installed, review your settings and alter it to use a key provider and encryption method that is not deprecated. If data was encrypted with a deprecated key provider or encryption method then you should also re-encrypt all that data.

Also see the Encrypt project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

UC Profile - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-165

Drupal Contrib Security Announcements - Wed, 11/11/2015 - 16:45
Description

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane.

The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed.

This vulnerability is mitigated by the fact that only sites that store data to the anonymous user's profile are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • UC Profile 6.x-1.x versions prior to 6.x-1.3

Drupal core is not affected. If you do not use the contributed UC Profile module, there is nothing you need to do.

Solution

Install the latest version:

Also see the UC Profile project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

MAYO theme - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-164

Drupal Contrib Security Announcements - Wed, 11/11/2015 - 16:27
Description

MAYO theme enables you to change certain theme settings via the administration interface.

Some theme settings aren't sufficiently sanitized.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All MAYO 7.x-2.x versions prior to 7.x-2.6
  • All MAYO 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed MAYO theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the MAYO theme for Drupal 7.x-2.x, upgrade to MAYO 7.x-2.6
  • If you use the MAYO theme for Drupal 7.x-1.x, upgrade to MAYO 7.x-1.4

Also see the MAYO project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Monster Menus - Access Bypass - Moderately Critical - SA-CONTRIB-2015-163

Drupal Contrib Security Announcements - Wed, 11/04/2015 - 17:21
Description

Monster Menus is a hierarchical menu tree, which provides highly scalable, granular permissions for all pages within a site.

The module includes an option to remove nodes from view (add them to a "recycle bin") rather than deleting them outright. When a node has been put into a bin using an affected version of the module, it remains visible via a seldom-used URL pattern to the users to whom it had been visible previously, when it was outside of the recycle bin.

This vulnerability is mitigated by the facts that:

  1. Sites which do not use the recycle bin feature are not vulnerable.
  2. The exposed node is no more accessible than it had been before being placed into the recycle bin. If the node could not be read by a particular user while it was on the regular page, it would still be unreadable by that user when in the recycle bin.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Monster Menus versions 7.x-1.21 through 7.x-1.23.

Drupal core is not affected. If you do not use the contributed Monster Menus module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Monster Menus project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

Drupal Contrib Security Announcements - Wed, 11/04/2015 - 16:13
Description

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with those modules, the protection preventing a user from logging in does not work.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if they do not have permission to login.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Login Disable 6.x-1.x versions prior to 6.x-1.1.
  • Login Disable 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Login Disable module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Login Disable project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161

Drupal Contrib Security Announcements - Wed, 10/28/2015 - 15:58
Description

This module enables you to take a field from the current entity and place it elsewhere as a block.

The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it.

The problem will only occur when other modules alter field output based on user permissions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field as Block 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Field as Block module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field as Block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004

Drupal Core Security Announcements - Wed, 10/21/2015 - 19:16
Description

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 7.x versions prior to 7.41.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Webform CiviCRM Integration - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-160

Drupal Contrib Security Announcements - Wed, 10/21/2015 - 19:14
Description

Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform.

The module doesn't sufficiently escape user input.

Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus "access CiviCRM" to define the input prompts, or permission to create events in CiviCRM.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform CiviCRM 7.x versions prior to 7.x-4.13.

Drupal core is not affected. If you do not use the contributed Webform CiviCRM Integration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform CiviCRM Integration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages