Skip directly to content

Feed aggregator

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

Drupal Core Security Announcements - Wed, 09/21/2016 - 16:35
Description

Users who have rights to edit a node, can set the visibility on comments for that node.

Description

Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical)

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

Cross-site Scripting in http exceptions (critical)

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

8.x

Solution

Upgrade to Drupal 8.1.10

Reported by

Users without "Administer comments" can set comment visibility on nodes they can edit.

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Fixed by

Users without "Administer comments" can set comment visibility on nodes they can edit.

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x
Categories: Security posts

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

Drupal Contrib Security Announcements - Wed, 09/07/2016 - 17:45
Description

This module enables regular users to create unlimited private flags called lists.

The flag_lists module doesn't sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "Create flag lists" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • flag_lists 7.x-3.x versions prior to 7.x-3.1.
  • flag_lists 7.x-1.x versions prior to 7.x-1.3.

Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.

Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Flag Lists module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag Lists project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Drupal Contrib Security Announcements - Wed, 08/31/2016 - 17:23
Description

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content.

The provided view that lists each user's bookmarked content as a tab on their user profile has for its access control the permission to use the 'bookmarks' flag. This means that any user who has permission to use the 'bookmarks' flag can see the list of content that any user has bookmarked.

This vulnerability is mitigated by the fact that the site must have enabled the Flag Bookmark module to create this view, and an attacker must have a role with the permission "Flag node entities as bookmarks".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Flag 7.x-3.x versions prior to 7.x-3.8.

Drupal core is not affected. If you do not use the contributed Flag module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.8

If you have Flag Bookmark enabled, or have enabled it in the past and still have the flag_bookmarks_tab view active, edit this and change the User: uid contextual filter's as follows:

  1. set the validator to 'Current user ID matches argument value'
  2. set the action to take if the filter value does not validate to 'Show "Page not found"'.

Also see the Flag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Drupal Contrib Security Announcements - Wed, 08/24/2016 - 14:47
Description

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another.

An authenticated user could add a schedule to a node even when that content type has schedules disabled.

The vulnerability is mitigated by the fact that a attacker must have access to an account in the system with permission to edit content and create schedules. Also, only sites with a specific combination of permissions and modules are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Scheduler 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Workbench Scheduler module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Scheduler project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Panelizer - Moderately Critical - Access Bypass - SA-CONTRIB-2016-048

Drupal Contrib Security Announcements - Wed, 08/17/2016 - 17:13
Description

Panelizer enables you to use Panels to replace the display of any entity, and even modify the Panels configuration in-place using the Panels In-Place Editor (IPE).

The default behavior for Panels IPE is to allow any user with the permissions "Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place Editor " access to the IPE regardless of whether or not a user has access to edit the underlying entity. While users cannot edit the entity itself, they can change the layout and the different panel panes shown (effectively allowing them to edit it).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the Panels In-Place Editor" and the IPE must be enabled for the specific content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Panelizer 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Panelizer module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Panelizer project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047

Drupal Contrib Security Announcements - Wed, 08/17/2016 - 16:20
Description Panels does not check access on some routes (Critical)

Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels.

Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not provide any access checks, or site specific encoded urls. This can allow an attacker to guess the backend url as an anonymous user and see data loaded for the form.

There is no mitigation for this exploit. Any site with panels enabled is vulnerable.

Panels In-place Editor does not properly check for access (Moderately Critical)

The Panels In-Place Editor (IPE) allows users with certain permissions to modify the layout and panel content of pages.

The default behavior for Panels IPE is to allow any user with the permissions "Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place Editor " access to the IPE regardless of whether or not a user has proper access to the page. While users cannot edit the page content itself, they can change the layout and the different panel panes shown.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the Panels In-Place Editor" and the IPE must be enabled for the specific content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Panels 7.x-3.x versions prior to 7.x-3.6.

Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the panels module for Drupal 7x, upgrade to Panels 7.x-3.6

Also see the Panels project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046

Drupal Contrib Security Announcements - Wed, 08/17/2016 - 13:35
Description

The Hosting module is a core component of the Aegir Hosting System.
This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites.

The Hosting module does not sufficiently control access to any custom content types created by the user. The default content types are sufficiently protected.

This vulnerability is mitigated by the fact that on a typical installation the users who have access normally have admin privilege already, and few installations will have created additional custom content types.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hosting 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Hosting module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Hosting project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

Drupal Contrib Security Announcements - Wed, 08/10/2016 - 15:08
Description

This module enables you to restrict site access without using user roles or permissions.

The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Require Login 7.x-2.x versions prior to 7.x-2.4
  • Require Login 8.x-1.x versions prior to 8.x-1.8

Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Require Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

OAuth2 Client- Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2016-044

Drupal Contrib Security Announcements - Wed, 08/10/2016 - 13:30
Description

This module provides an OAuth2 client.

The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake access_token to another user, and subsequently provide him fake data from the server. This page explains it in more details: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oau...

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth2 Client 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed OAuth2 Client module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OAuth2 Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

Drupal Contrib Security Announcements - Wed, 08/10/2016 - 13:26
Description

This module enables you to add integration with Piwik statistics service.
The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Piwik".

For greater flexibility a new feature has been added to the module to implement the new permission "Add JavaScript snippets" that can be assigned to users who are allowed to add JS code snippets into your web site.

If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Piwik 7.x-2.x versions prior to 7.x-2.9.
  • Piwik 8.x-2.x versions prior to 8.x-1.1.

Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Piwik module for Drupal 7.x, upgrade to Piwik 7.x-2.9
  • If you use the Piwik module for Drupal 8.x, upgrade to Piwik 8.x-1.1
  • Also see the Piwik Web Analytics project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x
    Categories: Security posts

    Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

    Drupal Contrib Security Announcements - Wed, 08/10/2016 - 13:20
    Description

    This module enables you to add integration with Google Analytics statistics service.
    The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Google Analytics".

    For greater flexibility a new feature has been added to the module to implement the new permission "Add JavaScript snippets" that can be assigned to users who are allowed to add JS code snippets into your web site.

    If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
  • Google Analytics 7.x-2.x versions prior to 7.x-2.3.
  • Google Analytics 8.x-2.x versions prior to 8.x-2.1.
  • Drupal core is not affected. If you do not use the contributed Google Analytics module, there is nothing you need to do.

    Solution

    Install the latest version:

  • If you use the Google Analytics module for Drupal 7.x, upgrade to Google Analytics 7.x-2.3
  • If you use the Google Analytics module for Drupal 8.x, upgrade to Google Analytics 8.x-2.1
  • Also see the Google Analytics project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x
    Categories: Security posts

    Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041

    Drupal Contrib Security Announcements - Wed, 08/03/2016 - 16:42
    Description

    Administration Views module replaces overview/listing pages with actual views for superior usability.

    The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • administration views 7.x-1.x versions prior to 7.x-1.6.

    Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Administration Views project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Categories: Security posts

    Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

    Drupal Core Security Announcements - Mon, 07/18/2016 - 13:53
    Description

    Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Drupal core 8.x versions prior to 8.1.7
    Solution

    Install the latest version:

    • If you use Drupal 8.x, upgrade to Drupal core 8.1.7
    • If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:
      <IfModule mod_headers.c> RequestHeader unset Proxy </IfModule>

    We also suggest mitigating it as described here: https://httpoxy.org/

    Also see the Drupal core project page.

    What if I am running Drupal core 8.0.x?

    Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes.

    Why is this being released Monday rather than Wednesday?

    The Drupal Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than Drupal, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today.

    Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 8.x
    Categories: Security posts

    RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

    Drupal Contrib Security Announcements - Wed, 07/13/2016 - 15:01
    Description

    This module enables you to expose Drupal entities as RESTful web services.

    RESTWS alters the default page callbacks for entities to provide additional functionality.

    A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.

    There are no mitigating factors. This vulnerability can be exploited by anonymous users.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • RESTful Web Services 7.x-2.x versions prior to 7.x-2.6.
    • RESTful Web Services 7.x-1.x versions prior to 7.x-1.7.

    Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the RESTful Web Services project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x
    Categories: Security posts

    Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

    Drupal Contrib Security Announcements - Wed, 07/13/2016 - 14:59
    Description

    The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

    The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.

    There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Coder module 7.x-1.x versions prior to 7.x-1.3.
    • Coder module 7.x-2.x versions prior to 7.x-2.6.

    Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.

    Solution

    Two solutions are possible.

    A first option is to remove the module from all publicly available websites:

    • The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.

    A second option is to install the latest version:

    Also see the Coder project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x
    Categories: Security posts

    Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

    Drupal Contrib Security Announcements - Wed, 07/13/2016 - 14:58
    Description

    The Webform Multiple File Upload module allows users to upload multiple files on a Webform.

    The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.

    This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE.

    Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected

    Webform Multifile 7.x-1.x versions prior to 7.x-1.4

    Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Webform Multiple File Upload project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x
    Categories: Security posts

    Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

    Drupal Contrib Security Announcements - Wed, 07/06/2016 - 13:33
    Description

    This module enables you to authenticate with Instagram's API via an intermediary service (instagram.yanniboi.com).
    The module doesn't sufficiently advise that your authentication tokens could be intercepted.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Instagram Block 7.x-1.x versions prior to 7.x-1.4.

    Drupal core is not affected. If you do not use the contributed Instagram Block module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Instagram Block project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Categories: Security posts

    Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002

    Drupal Core Security Announcements - Wed, 06/15/2016 - 18:45
    Description Saving user accounts can sometimes grant the user all roles (User module - Drupal 7 - Moderately Critical)

    A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.

    This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.

    Views can allow unauthorized users to see Statistics information (Views module - Drupal 8 - Less Critical)

    An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

    This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

    The same vulnerability exists in the Drupal 7 Views module (see SA-CONTRIB-2016-036).

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Drupal core 7.x versions prior to 7.44
    • Drupal core 8.x versions prior to 8.1.3
    Solution

    Install the latest version:

    Also see the Drupal core project page.

    Reported by

    Saving user accounts can sometimes grant the user all roles:

    Views can allow unauthorized users to see Statistics information:

    Fixed by

    Saving user accounts can sometimes grant the user all roles:

    Views can allow unauthorized users to see Statistics information:

    Coordinated by

    The Drupal Security Team

    Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x
    Categories: Security posts

    Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

    Drupal Contrib Security Announcements - Wed, 06/15/2016 - 18:42
    Description

    An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

    This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

    The same vulnerability exists in the Drupal 8 core Views module SA-CORE-2016-002

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Views 7.x-3.x versions prior to 7.x-3.14.

    Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Views project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Categories: Security posts

    Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035

    Drupal Contrib Security Announcements - Wed, 06/08/2016 - 17:21
    Description

    This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module.

    The module doesn't sufficiently sanitize titles when presenting them on this interface.

    This vulnerability is mitigated by the fact that an attacker must have have the ability to use outline designer, which is generally reserved for content authors and system admins.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Outline Designer 7.x-2.x versions prior to 7.x-2.2.

    Drupal core is not affected. If you do not use the contributed Outline Designer module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Outline Designer project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Categories: Security posts

    Pages