Feed aggregator

• Advisory ID: DRUPAL-SA-CONTRIB-2012-149
• Project: Hostip (third-party module)
• Version: 6.x, 7.x
• Date: 2012-October-03
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Hostip enables you to query the http://www.hostip.info/ API to get the country / state information based on the user's IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data.

CVE: Requested

• Hostip 6.x-2.x versions prior to 6.x-2.2.
• Hostip 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Hostip module, there is nothing you need to do.

Install the latest version:

• If you use the Hostip module for Drupal 6.x, upgrade to Hostip 6.x-1.2
• If you use the Hostip module for Drupal 7.x, upgrade to Hostip 7.x-1.2

Also see the Hostip project page.

• Klaus Purer of the Drupal Security Team

• Vaibhav Jain the module maintainer

• Klaus Purer of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-148
• Project: Organic groups (third-party module)
• Version: 7.x
• Date: 2012-September-26
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

OG (Organic groups) enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrator to approve it.

OG doesn't properly maintain pending memberships if the user is allowed to edit their own account.

In addition, under certain circumstances, a user was able to post to a group which they were not a member of.

There are no additional mitigating factors for these issues.

CVE: Requested

• OG (Organic groups) 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.

Install the latest version:

• If you use the OG 7.x-1.x module for Drupal 7.x, upgrade to OG (Organic groups) 7.x-1.5

Also see the Organic groups project page.

• Zoltán Tóth
• John Takousis

• Amitai Burstein the module maintainer

• Lee Rowlands
• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-147
• Project: FileField Sources (third-party module)
• Version: 6.x, 7.x
• Date: 2012-September-19
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display.

This vulnerability is mitigated by the fact that malicious users must have the ability to upload files on a field that has the "Reference existing" source enabled.

CVE: Requested

• FileField Sources 6.x-1.x versions prior to 6.x-1.6.
• FileField Sources 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed FileField Sources module, there is nothing you need to do.

Install the latest version:

• If you use the FileField Sources module for Drupal 6.x, upgrade to FileField Sources 6.x-1.6
• If you use the FileField Sources module for Drupal 7.x, upgrade to FileField Sources 7.x-1.6

Also see the FileField Sources project page.

• Disclosed publicly.

• Nathan Haug the module maintainer

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-146
• Project: Simplenews Scheduler (third-party module)
• Version: 6.x
• Date: 2012-September-19
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Arbitrary PHP code execution

The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent.

The module allows a user with the 'send scheduled newsletters' access to the scheduling form where PHP code may be entered. This code is then executed the next time the site runs cron. A site administrator granting permissions is not given sufficient warning that they are granting this level of access to the site.

This vulnerability is mitigated by the fact that an attacker must have already been granted a role with the permission 'send scheduled newsletters'.

CVE: Requested

• Simplenews Scheduler 6.x-2.x versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed Simplenews Scheduler module, there is nothing you need to do.

Install the latest version:

• If you use the Simplenews Scheduler module for Drupal 6.x, upgrade to Simplenews Scheduler 6.x-2.4

Also see the Simplenews Scheduler project page.

• Sascha Grossenbacher
• Joachim Noreiko the module maintainer

• Joachim Noreiko the module maintainer
• Sascha Grossenbacher

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-145
• Project: Imagemenu (third-party module)
• Version: 6.x
• Date: 2012-September-19
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Imagemenu module allows you to create Drupal menus from images files.

The module doesn't sufficiently escape image file names when rendering menus, allowing a potential XSS attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer imagemenu".

CVE: Requested

• Imagemenu 6.x-1.x versions prior to 6.x-1.4.

Drupal core is not affected. If you do not use the contributed Imagemenu module, there is nothing you need to do.

Install the latest version:

• If you use the Imagemenu module for Drupal 6.x, upgrade to Imagemenu 6.x-1.4

Also see the Imagemenu project page.

• David Houlder

• Paul Maddern, module maintainer
• Marcus Clements, module maintainer
• Ben Jeavons of the Drupal Security Team

• Michael Hess, Ben Jeavons, and Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-144
• Project: Fonecta verify (third-party module)
• Version: 7.x
• Date: 2012-September-19
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize data retrieved from an untrusted third party source.

This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data.

CVE: Requested

• Fonecta verify 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Fonecta verify module, there is nothing you need to do.

Install the latest version:

• If you use the Fonecta verify module for Drupal 7.x, upgrade to Fonecta verify 7.x-1.6

Also see the Fonecta verify project page.

• Antti Alamäki the module maintainer

• Antti Alamäki the module maintainer

• Klaus Purer of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-143
• Project: PRH Search (third-party module)
• Version: 7.x
• Date: 2012-September-19
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

PRH Search provides an interface to search for association information for Finnish association using the PRH (Patentti- ja Rekisterihallitus) database. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have either gained access to that third party source or use techniques such as DNS spoofing in order to inject malicious data.

CVE: Requested

• PRH Search 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed PRH Search module, there is nothing you need to do.

Install the latest version:

• If you use the PRH Search module for Drupal 7.x, upgrade to PRH Search 7.x-1.1

Also see the PRH Search project page.

• Klaus Purer of the Drupal Security Team

• Antti Alamäki the module maintainer

• Klaus Purer of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-142
• Project: Spambot (third-party module)
• Version: 6.x, 7.x
• Date: 2012-September-19
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com.

Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack.

This vulnerability is mitigated by the fact that only stopforumspam.com (or someone pretending to be stopforumspam.com) can exploit it.

CVE: Requested

• Spambot 6.x-3.x versions prior to 6.x-3.2.
• Spambot 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Spambot module, there is nothing you need to do.

Install the latest version:

• If you use the Spambot module for Drupal 6.x, upgrade to Spambot 6.x-3.2
• If you use the Spambot module for Drupal 7.x, upgrade to Spambot 7.x-1.1

Also see the Spambot project page.

• Jimmy Axenhus

• Beng Tan, the module maintainer
• Jimmy Axenhus

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-141
• Project: Mass Contact (third-party module)
• Version: 6.x
• Date: 2012-September-12
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

This module allows anyone with permission to send a single message to multiple users of a site, using its roles functionality.

The module doesn't sufficiently check permissions after the form has been submitted.

This vulnerability is mitigated by the fact that an attacker must use a tool of some kind (like the Tamper Data Firefox add-on) to intercept the form submission request in order to modify the settings.

CVE: Requested

• Mass Contact 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Mass Contact module, there is nothing you need to do.

Install the latest version:

• If you use the Mass Contact module for Drupal 6.x, upgrade to Mass Contact 6.x-1.2

Also see the Mass Contact project page.

• Michael Orlitzky

• Michael Orlitzky
• Jason Flatt the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-140
• Project: Inf08 (third-party module)
• Version: 6.x
• Date: 2012-September-12
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Inf08 is a valid XHTML 1.0 Strict / CSS 2.1 theme ported from the free CSS template. The theme contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize user supplied taxonomy vocabulary names before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE: Requested

• Inf08 6.x-1.x versions prior to 6.x-1.10.

Drupal core is not affected. If you do not use the contributed Inf08 module, there is nothing you need to do.

Install the latest version:

• If you use the Inf08 theme for Drupal 6.x, upgrade to Inf08 6.x-1.10

Also see the Inf08 project page.

• Justin C. Klein Keane

• kong, the theme maintainer

• Klaus Purer of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-139
• Project: PDFThumb (third-party module)
• Version: 7.x
• Date: 2012-September-12
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: OS Injection

PDFThumb module creates thumbnail images of PDF files.
The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user (e.g. www-data).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer PDFThumb".

CVE: Requested

• PDFThumb 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed PDFThumb module, there is nothing you need to do.

Install the latest version:

• If you use the PDFThumb module for Drupal 7.x, upgrade to PDFThumb 7.x-1.1

Also see the PDFThumb project page.

• Matt Kleve of the Drupal Security Team
• mdespeuilles, the module maintainer

• Matt Kleve of the Drupal Security Team
• mdespeuilles, the module maintainer

• Greg Knaddison of the Drupal Security Team
• Matt Kleve of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-138
• Project: Exposed Filter Data (third-party module)
• Version: 6.x
• Date: 2012-September-05
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

The Exposed Filter Data facilitates displaying data posted to Views via an exposed filter. The module does not properly sanitize user-supplied data prior to output, leading to a Cross-Site Scripting (XSS) vulnerability.

CVE: Requested

• Exposed Filter Data 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Exposed Filter Data module, there is nothing you need to do.

Install the latest version:

• If you use the Exposed Filter Data module for Drupal 6.x, upgrade to Exposed Filter Data 6.x-1.2.
• The 7.x-1.x branch is not vulnerable. If you use Exposed Filter Data for Drupal 7.x, there is nothing you need to do.

Also see the Exposed Filter Data project page.

• Joe Tsui
• ekes

• Shushu Inbar, the module maintainer

• Michael Hess (mlhess) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-137
• Project: Heartbeat (third-party module)
• Version: 6.x, 7.x
• Date: 2012-September-5
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Request Forgery

This module enables you to display activity for events on a site.
The module doesn't sufficiently check the heartbeat comment post values making it possible for an attacker to cause a user to unknowingly make comments.

CVE: Requested

• heartbeat_comments 6.x-4.x versions prior to 6.x-4.11.
• heartbeat_comments 7.x-1.x versions prior to 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Heartbeat module, there is nothing you need to do.

Install the latest version:

• If you use the heartbeat_comments or shouts module for Drupal 6.x, upgrade to heartbeat 6.x-4.12
• If you use the heartbeat_comments module for Drupal 7.x, upgrade to heartbeat 7.x-1.1

Also see the Heartbeat project page.

• Greg Knaddison of the Drupal Security Team

• Stalski the module maintainer

• Greg Knaddison of the Drupal Security Team
• Matt Chapman of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-136
• Project: Apache Solr Autocomplete (third-party module)
• Version: 6.x, 7.x
• Date: 2012-August-29
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting

Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module.

The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided a URL with a specially-crafted search string embedded in it, the attacker could have a user execute arbitrary Javascript when clicking or focusing on the autocomplete text field.

This vulnerability is mitigated by the fact that the attacked user must click or otherwise give focus to the text widget to have the Javascript activate.

CVE: Requested

• Apache Solr Autocomplete 6.x-1.x versions prior to 6.x-1.4.
• Apache Solr Autocomplete 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Apache Solr Autocomplete module, there is nothing you need to do.

Install the latest version.

• If you use the Apache Solr Autocomplete module for Drupal 6.x, upgrade to Apache Solr Autocomplete 6.x-1.4
• If you use the Apache Solr Autocomplete module for Drupal 7.x, upgrade to Apache Solr Autocomplete 7.x-1.3

Also see the Apache Solr Autocomplete project page.

• drupaledmonk

• Alejandro Garza the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-135
• Project: CAPTCHA (third-party module)
• Version: 6.x
• Date: 2011-August-29
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Access bypass

This module enables you to protect website forms using a CAPTCHA. A CAPTCHA is a test which attempts to differentiate between a human and an automated bot or script.

The module doesn't ensure that test submissions have a single-use unique token. This means that web robots could reuse a single successful submission multiple times, reducing the effectiveness of the protection.

CVE: Requested

• CAPTCHA 6.x-2.x versions prior to 6.x-2.3

Drupal core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do.

Install the latest version:

• If you use the CAPTCHA module for Drupal 6.x, upgrade to CAPTCHA 6.x-2.3 or greater

Also see the CAPTCHA project page.

• LeeSai
• MustLive

• Stefaan Lippens a CAPTCHA module maintainer

• Owen Barton of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-134
• Project: (third-party module)
• Version: 6.x
• Date: 2012-August-29
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Privilege escalation

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on that argument.

This vulnerability is mitigated by the fact that it only affects sites with more roles than default where a role with a low role ID has more privileges than other roles on the site and where untrusted (i.e. potentially malicious) users are granted several of those roles.

CVE: Requested

• Views 6.x-2.x versions prior to 6.x-2.16.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Install the latest version:

• If you use the Views module for Drupal 6.x, upgrade to Views 6.x-2.16

Also see the project page.

• Derek Wright of the Drupal Security Team
• John Preto

• Derek Wright one of module maintainers, also of the Drupal Security Team

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-133
• Project: Taxonomy Image (third-party module)
• Version: 6.x
• Date: 2012-August-29
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Arbitrary PHP code execution

The taxonomy_image module allows site administrators to associate images with taxonomy terms.

The module did not sufficiently filter retrieval of taxonomy images, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server.

This vulnerability is mitigated by the fact that an attacker must have the permissions "administer taxonomy" and "administer taxonomy images", and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations should prevent code execution in typical Apache configurations.

CVE: Requested

• Taxonomy Image 6.x-1.x versions prior to 6.x-1.7.

Drupal core is not affected. If you do not use the contributed Taxonomy Image module, there is nothing you need to do.

Install the latest version:

• If you use the Taxonomy Image module for Drupal 6.x, upgrade to Taxonomy Image 6.x-1.7

Also see the Taxonomy Image project page.

• Chris Burgess

• Nancy Wichmann, the module maintainer
• Niklas Fiekas, the module maintainer
• Chris Burgess

• Greg Knaddison of the Drupal Security Team
• Ivo Van Geertruyen of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-132
• Project: Announcements (third-party module)
• Version: 6.x
• Date: 2012-August-29
• Security risk: Moderately critical
• Exploitable from: Remote
• Vulnerability: Access bypass

The Announcements module creates an "announcement" content type and provides both node views and block lists.

The module doesn't sufficiently check node access under certain conditions.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access announcements".

CVE: Requested

• Announcements 6.x-1.x versions prior to 6.x-1.5.

Drupal core is not affected. If you do not use the contributed Announcements module, there is nothing you need to do.

Install the latest version:

• If you use the Announcements module for Drupal 6.x, upgrade to Announcements 6.x-1.5

Also see the Announcements project page.

• Michael Hess of the Drupal Security Team

• Nancy Wichmann, the module maintainer

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-131
• Project: Email Field (third-party module)
• Version: 6.x, 7.x
• Date: 2012-August-29
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Access bypass

The email module provides a field type (CCK / FieldAPI) for storing email addresses. Furthermore, it provides a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is.

The module didn't sufficiently check access for the contact form page, allowing a site visitor to email the stored address on the entity without having access to the entity itself.

CVE: Requested

• Email Field 6.x-1.x versions prior to 6.x-1.2.
• Email Field 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Email Field module, there is nothing you need to do.

Install the latest version:

• If you use the Email Field module for Drupal 6.x, upgrade to Email Field 6.x-1.3
• If you use the Email Field module for Drupal 7.x, upgrade to Email Field 7.x-1.2

Also see the Email Field project page.

• Joachim Noreiko

• Joachim Noreiko
• Matthias Hutterer the module maintainer
• Greg Knaddison of the Drupal Security Team

• Greg Knaddison of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

• Advisory ID: DRUPAL-SA-CONTRIB-2012-130
• Project: Javascript Tool (third-party module)
• Version: 7.x
• Date: 2012-August-29
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Multiple vulnerabilities

Javascript Tool enables administrators to edit any javascript file online from an admin panel.

The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents.
The module does not validate filenames which can lead to potential read/write access to arbitrary files on the server.

Write access to files is mitigated by the fact that an attacker must have the permission to use the full_html text format.

CVE: Requested

• Javascript Tool 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Javascript Tool module, there is nothing you need to do.

Install the latest version:

• If you use the Javascript Tool module for Drupal 7.x, upgrade to Javascript Tool 7.x-1.7

Also see the Javascript Tool project page.

• Klaus Purer of the Drupal Security Team

• drupwash the module maintainer

• Klaus Purer of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.