Skip directly to content

Feed aggregator

Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141

Drupal Contrib Security Announcements - Wed, 08/19/2015 - 20:28
Description Cross Site Scripting (XSS)

Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools.

This vulnerability can be mitigated by the fact that ctools must load its javascript on the page and the user has access to submit data through a form (such as a comment or node) that allows 'a' tags.

This patch is a backport for SA-CORE-2015-003.

Access bypass

This module provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Features.

The module doesn't sufficiently verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.

This vulnerability is mitigated by the fact that the user must have access to edit a display via a Panels display system, e.g. via Panels pages, Mini Panels, Panel Nodes, Panelizer displays, IPE, Panels Everywhere, etc. Furthermore, either a contributed module provides a CTools content type plugin, or a custom plugin must be written that inherits permissions from another plugin and must have a different permission defined; if no "edit" permission is set up for the child object CTools did not check the permissions of the parent object. One potential scenario would allow people who did not have edit access to Fieldable Panels Panes panes, which were specifically set to not be reusable, to edit them despite the person's lack of access.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

Cross Site Scripting:

  • ctools 6.x-1.x versions prior to 6.x-1.14.

Access bypass:

  • ctools 6.x-1.x versions prior to 6.x-1.14.
  • ctools 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Chaos tool suite (ctools) project page.

Reported by

Cross Site Scripting:

Access bypass:

Fixed by

Cross Site Scripting:

Access bypass:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003

Drupal Core Security Announcements - Wed, 08/19/2015 - 19:27

This security advisory fixes multiple vulnerabilities. See below for a list.

Cross-site Scripting - Ajax system - Drupal 7

A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

SQL Injection - Database API - Drupal 7

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

CVE identifier(s) issued
  • CVE identifiers have been requested and will be added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.37
  • Drupal core 7.x versions prior to 7.39
Solution

Install the latest version:

Also see the Drupal core project page.

Credits Cross-site Scripting - Ajax system - Drupal 7 Reported by Fixed by Cross-site Scripting - Autocomplete system - Drupal 6 and 7 Reported by Fixed by SQL Injection - Database API - Drupal 7 Reported by Fixed by Cross-site Request Forgery - Form API - Drupal 6 and 7 Reported by Fixed by Information Disclosure in Menu Links - Access system - Drupal 6 and 7 Reported by Fixed by Coordinated by
  • Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the The Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140

Drupal Contrib Security Announcements - Wed, 08/19/2015 - 15:02
Description

This module enables you to add autocomplete suggestions for search forms created with the Search API module.

The module doesn't sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create new content (or other indexed entities) and that the search index must be configured to use the HTML filter processor.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API Autocomplete 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Search API Autocomplete module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API Autocomplete project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Workbench Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139

Drupal Contrib Security Announcements - Wed, 08/19/2015 - 14:52
Description

Workbench Email module provides a way for administrators to define email transitions and configurable email subject / messages between those transitions.

The module causes node and field validations to be skipped when saving nodes.

The vulnerability is mitigated by the fact that an attacker must have a role with permission to create or update nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Email 7.x-3.x versions prior to 7.x-3.4

Drupal core is not affected. If you do not use the contributed Workbench Email module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Email project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Compass Rose - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-138

Drupal Contrib Security Announcements - Wed, 08/05/2015 - 15:47
Description

Compass Rose module provides a type of CCK field that allows to represent the most common orientations (North, North-East, East, South-East, South, South-West, West and North-West).

The module was embedding a JavaScript library from an external source that was not reliable, thereby exposing the site to a Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Compass Rose 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Compass Rose module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Compass Rose project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Quick Edit - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-137

Drupal Contrib Security Announcements - Wed, 08/05/2015 - 15:38
Description

This module enables you to in-place edit entities' fields.

The module doesn't sufficiently filter entity titles under the scenario where the user starts in-place editing an entity. The module also doesn't sufficiently filter node titles under the scenario where a node is displayed (albeit only on pages that are not the node page, so e.g. Views listings).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit node entities (e.g. page, article …).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Quick Edit 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Quick Edit module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Quick Edit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Commerce Commonwealth (CBA) - Moderately Critical - Insufficient Verification of API Data - SA-CONTRIB-2015-136

Drupal Contrib Security Announcements - Wed, 07/29/2015 - 21:06
Description

This module enables you to pay for items on Drupal Commerce, using Commerce Commonwealth payment gateway.

The module doesn't sufficiently validate the payment under certain specific scenarios. A malicious user can modify the urls used in gateway interaction with Commbank to make a failed payment appear to be a successful payment.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Commonwealth (CBA) 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Commerce Commonwealth (CBA) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Commonwealth (CBA) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Time Tracker - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-135

Drupal Contrib Security Announcements - Wed, 07/22/2015 - 15:54
Description

This module enables you to track time on entities and comments.

The module doesn't sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Add Time Tracker Entries".

The module doesn't sufficiently filter activities used to categorize time tracker entries. This vulnerability is mitigated by the fact that an attacker must have a role with the "Administer Time Tracker" permission. This role has also been properly marked as "restrict access".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Time Tracker 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Time Tracker module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Time Tracker project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134

Drupal Contrib Security Announcements - Wed, 07/22/2015 - 15:46
Description

The Open Semantic Framework (OSF) for Drupal is a middleware layer that allows structured data (RDF) and associated vocabularies (ontologies) to "drive" tailored tools and data displays within Drupal.

The module is vulnerable to reflected Cross Site Scripting (XSS) because it did not sufficiently filter user input values in some administration pages. An attacker could exploit this vulnerability by making other users visit a specially-crafted URL. Only sites with OSF Ontology module enabled are affected.

Additionally, the module is vulnerable to Arbitrary file deletion. A malicious user can cause an administrator to delete files by getting their browser to make a request to a specially-crafted URL. Only sites with OSF Ontology and OSF Import modules enabled are affected.

Also, some forms were vulnerable to Cross Site Request Forgery (CSRF). An attacker could create new OSF datasets by getting an administrator's browser to make a request to a specially-crafted URL. Only sites with OSF Import module enabled are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OSF 7.x-3.x versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the OSF for Drupal module for Drupal 7.x, upgrade to OSF 7.x-3.1

Also see the OSF for Drupal project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Path Breadcrumbs - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-133

Drupal Contrib Security Announcements - Wed, 07/15/2015 - 16:30
Description

This module enables you to configure breadcrumbs for any Drupal page.

The module didn't sufficiently filter user input values the in administration interface.

This vulnerability was mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Path Breadcrumbs 7.x-3.x versions prior to 7.x-3.3

Drupal core is not affected. If you do not use the contributed Path Breadcrumbs module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Path Breadcrumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132

Drupal Contrib Security Announcements - Wed, 07/08/2015 - 17:39
Description

Administration Views module replaces overview/listing pages with actual views for superior usability.

The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Administration Views 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Administration Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Views Bulk Operations - Moderately critical - Access Bypass - SA-CONTRIB-2015-131

Drupal Contrib Security Announcements - Wed, 07/01/2015 - 15:35
Description

The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows.

The module doesn't sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled (such as admin/people when the administration_views module is used), they will be able to edit their own account and give themselves a higher role (such as "administrator") even if they don't have the "'administer users'" permission.

This vulnerability is mitigated by the fact that an attacker must have access to such a user listing page and that the bulk operation for changing Roles is enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views Bulk Operations 7.x-3.x versions prior to 7.x-3.3.
  • Views Bulk Operations 6.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Views Bulk Operations (VBO) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views Bulk Operations module for Drupal 7.x, upgrade to Views Bulk Operations 7.x-3.3
  • If you use the Views Bulk Operations module for Drupal 6.x, uninstall the module.

Also see the Views Bulk Operations (VBO) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Migrate - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

Drupal Contrib Security Announcements - Wed, 07/01/2015 - 15:21
Description

This module enables you to manage migration processes through the administrative UI.

The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/edit fields (such as "administer taxonomy"), or be able to modify source data being imported by an administrator. Furthermore, the migrate_ui submodule must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Migrate 7.x-2.x versions prior to 7.x-2.8.

Drupal core is not affected. If you do not use the contributed Migrate module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the migrate module's migrate_ui submodule for Drupal 7.x, upgrade to Migrate 7.x-2.8

Also see the Migrate project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Drupal Contrib Security Announcements - Wed, 06/24/2015 - 17:02
Description

Shibboleth authentication module allows users to log in and get permissions based on federated (SAML2) authentication.

The module didn't filter the text that is displayed as a login link.

This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer blocks.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Shibboleth authentication 6.x-4.x versions prior to 6.x-4.2.
  • Shibboleth authentication 7.x-4.x versions prior to 7.x-4.2.

Drupal core is not affected. If you do not use the contributed Shibboleth authentication module, there is nothing you need to do.

Solution

Also see the Shibboleth authentication project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128

Drupal Contrib Security Announcements - Wed, 06/24/2015 - 15:06
Description

'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any user to access the content served by the view by substituting 'me' in the URL with a user id even when they don't have permission to access the content.

These only affects Views which use the Views 'me' user argument handler.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • me aliases 7.x-1.x versions prior to 7.x-1.2
  • me aliases 6.x-2.x versions prior to 6.x-2.10

Drupal core is not affected. If you do not use the contributed me aliases module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the 'me aliases' module for Drupal 7.x, upgrade to me 7.x-1.2
  • If you use the 'me aliases' module for Drupal 6.x, upgrade to me 6.x-2.10

Also see the me aliases project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127

Drupal Contrib Security Announcements - Wed, 06/24/2015 - 14:55
Description

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

The module allows account creation through social login when the configuration is set to allow user registration by administrators only.

This vulnerability is mitigated by the fact that a site must be configured to allow user registration by administrators only and that authenticated user accounts can access sensitive data that would otherwise not be shown to anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.13.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Content Construction Kit (CCK) - Less Critical - Open Redirect - SA-CONTRIB-2015-126

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:50
Description

The Content Construction Kit (CCK) project is a set of modules that allows you to add custom fields to nodes using a web browser.

CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

See also: SA-CORE-2015-002

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Content Construction Kit (CCK) 6.x-2.x versions prior to 6.x-2.10.

Drupal core is not affected. If you do not use the contributed Content Construction Kit (CCK) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Content Construction Kit (CCK) project page.

Reported by Fixed by
  • Pere Orga of the Drupal Security Team
  • Neil Drumm, module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:41
Description

Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Acquia Cloud Site Factory 7.x-1.x versions prior to 7.x-1.14

Drupal core is not affected. If you do not use the contributed Acquia Cloud Site Factory Connector module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Acquia Cloud Site Factory Connector project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-124

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:36
Description

The LABjs module integrates LABjs with Drupal for web performance optimization.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • LABjs 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed LABjs module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the LABjs module for Drupal 7.x, upgrade to LABjs 7.x-1.7.

Also see the LABjs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123

Drupal Contrib Security Announcements - Wed, 06/17/2015 - 18:33
Description

The jQuery Update module enables you to update jQuery on your site.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-002).

Only sites with the Overlay module enabled are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • jQuery Update 7.x-2.x versions prior to 7.x-2.6

Drupal core is not affected. If you do not use the contributed jQuery Update module, there is nothing you need to do.

Solution

Install the latest version:

Also see the jQuery Update project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages