Skip directly to content

Feed aggregator

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:29
Description

Ubercart Discount Coupons module provides discount coupons for Ubercart stores.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms. Note that for vocabularies with free tagging enabled, this includes any user with permission to add/edit content of a type to which the vocabulary applies.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Ubercart Discount Coupons 6.x-1.x versions prior to 6.x-1.8

Drupal core is not affected. If you do not use the contributed Ubercart Discount Coupons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Discount Coupons project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:22
Description

Webform enables you to create surveys, personalized contact forms, contests, and the like.

Cross Site Scripting Related to Webform Submissions

The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform's results table tab.

To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file:

<?php
 $conf['webform_table'] = TRUE;
?> Cross Site Scripting Related to Blocks

The module doesn't sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • webform 6.x versions prior to 6.x-3.22.
  • webform 7.x-3.x versions prior to 7.x-3.22.
  • webform 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:33
Description

Watchdog Aggregator collects watchdog messages from external sites.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Watchdog Aggregator module.

Drupal core is not affected. If you do not use the contributed Watchdog Aggregator module, there is nothing you need to do.

Solution

If you use the Watchdog Aggregator module you should uninstall it.

Also see the Watchdog Aggregator project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:31
Description

Ubercart Webform Integration module integrates Webform and Ubercart modules.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Ubercart Webform Integration module.

Drupal core is not affected. If you do not use the contributed Ubercart Webform Integration module, there is nothing you need to do.

Solution

If you use the Ubercart Webform Integration module you should uninstall it.

Also see the Ubercart Webform Integration project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:28
Description

The Custom Sitemap module enables you to add custom sitemaps to a site.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Custom Sitemap module.

Drupal core is not affected. If you do not use the contributed Custom Sitemap module, there is nothing you need to do.

Solution

If you use the Custom Sitemap module you should uninstall it.

Also see the Custom Sitemap project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:25
Description

Spider Video Player module enables you to add HTML5 and Flash videos to your site.

The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Video Player administration".

Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting videos by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Video Player module.

Drupal core is not affected. If you do not use the contributed Spider Video Player module, there is nothing you need to do.

Solution

If you use the Spider Video Player module you should uninstall it.

Also see the Spider Video Player project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:22
Description

Spider Catalog module enables you to build product catalogs.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Catalog module.

Drupal core is not affected. If you do not use the contributed Spider Catalog module, there is nothing you need to do.

Solution

If you use the Spider Catalog module you should uninstall it.

Also see the Spider Catalog project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:17
Description

Spider Contacts module provides a user-friendly way to manage and display contacts.

The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Contacts category administration".

Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting contact categories by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Contacts module.

Drupal core is not affected. If you do not use the contributed Spider Contacts module, there is nothing you need to do.

Solution

If you use the Spider Contacts module you should uninstall it.

Also see the Spider Contacts project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:14
Description

inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service.

The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of inLinks Integration module.

Drupal core is not affected. If you do not use the contributed inLinks Integration module, there is nothing you need to do.

Solution

If you use the inLinks Integration module you should uninstall it.

Also see the inLinks Integration project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:07
Description

Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site.

The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Services single sign-on server helper module.

Drupal core is not affected. If you do not use the contributed Services single sign-on server helper module, there is nothing you need to do.

Solution

If you use the Services single sign-on server helper module you should uninstall it.

Also see the Services single sign-on server helper project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 15:44
Description

SMS Framework module enables you to send and receive SMS messages from and into Drupal.

The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This vulnerability is mitigated by the fact that the "Send to phone" submodule must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • SMS Framework 6.x-1.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed SMS Framework module, there is nothing you need to do.

Solution

Install the latest version:

Also see the SMS Framework project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 15:17
Description

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Entity API 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Entity API module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Entity API project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 16:17
Description

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF.

The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially confidential data to unauthorized users.

This vulnerability is mitigated by the fact that the RESTWS Basic Auth submodule must be enabled, page caching must be enabled and permissions for a resource containing sensitive data must be enabled (for example the User resource).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • RESTWS 7.x-1.x versions prior to 7.x-1.5.
  • RESTWS 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful Web Services project page.

Reported by Fixed by
  • Klaus Purer the module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 16:11
Description

Term Queue module allows you to create lists of taxonomy terms and display them in a block.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Term Queue 6.x-1.0

Drupal core is not affected. If you do not use the contributed Term Queue module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Term Queue project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass - Unsupported

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 16:05
Description

Services Basic Authentication module adds HTTP basic authentication for Services module.

A user could get unauthorized access to resources under some circumstances.

This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Services Basic Authentication module.

Drupal core is not affected. If you do not use the contributed Services Basic Authentication module, there is nothing you need to do.

Solution

If you use the Services Basic Authentication module you should uninstall it

Also see the Services Basic Authentication project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 15:24
Description

Navigate is a customizable navigation bar for Drupal.

The module doesn't sufficiently sanitize user input when displaying the Navigate bar.

Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafted malicious url.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Navigate 6.x-1.x versions prior to 6.x-1.1.
  • Navigate 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Navigate project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 15:09
Description

Avatar Uploader module provides an alternative way to upload user pictures.

The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "upload avatar file", and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations should prevent code execution in typical Apache configurations.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Avatar Uploader 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 15:08
Description

This module enables live previews of Panels panes in the modal dialog for adding or editing them.

The module doesn't sufficiently filter the pane title when re-rendering the live preview.

This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Panopoly Magic 7.x-1.x versions prior to 7.x-1.17.

Drupal core is not affected. If you do not use the contributed Panopoly Magic module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Panopoly Magic project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 19:18
Description

Taxonomy Tools module provides alternative ways of managing taxonomy terms.

The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes or taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Taxonomy Tools 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Taxonomy Tools module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Taxonomy Tools project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 19:18
Description

The Node Access Product module provides 'Node access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views.

The module doesn't sufficiently sanitize node titles leading to the possibility of cross-site scripting by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Node Access Product

Drupal core is not affected. If you do not use the contributed Node Access Product module, there is nothing you need to do.

Solution

If you use the Node Access Product module you should uninstall it.

Also see the Node access product project page.

Reported by Fixed by
  • Not applicable.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages