Skip directly to content

Feed aggregator

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/09/2014 - 14:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-037
  • Project: BlueMasters (third-party module)
  • Version: 7.x
  • Date: 2014-April-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Bluemasters is a responsive layout theme for Drupal 7.

The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Bluemasters 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed BlueMasters theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the BlueMasters project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:10
Description

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.
The module does not sufficiently sanitize user provided input when generating the printed version of a node.
This is mitigated by the fact that an attacker must have permission to create a node which offers the print functionality.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.19.
  • Printer, email and PDF versions 7.x-1.x versions prior to 7.x-1.3.
  • Printer, email and PDF versions 7.x-2.x versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Printer, email and PDF versions module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Printer, email and PDF versions module for Drupal 6.x, upgrade to print 6.x-1.19
  • If you use the Printer, email and PDF versions module for Drupal 7.x, upgrade to print 7.x-1.3 or print 7.x-2.0

Also see the Printer, email and PDF versions project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-035 - CAS Server - Access Bypass

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:08
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-035
  • Project: CAS (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-02
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The cas_server module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application (the "service" in CAS specs). The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the relying party validates the ticket.

However, this successful validation will be cached if the Drupal page cache is enabled, and subsequent identical validations can be processed even though the single-use ticket has been deleted.

A user's session on a relying party can be therefore be re-initialized via a session replay attack involving the cas_server module, even when the user deletes cookies and server-side sessions for both sites.

This would require an attacker to sniff the service URL containing the ticket ID, such as with a non-SSL relying party, by protocol downgrade, or by accessing an earlier user's web activity on a public computer.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CAS Server 6.x-2.x versions prior to 6.x-3.3.
  • CAS Server 7.x-2.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CAS module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CAS project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 04/02/2014 - 17:05
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-034
  • Project: Custom Search (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-April-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Custom Search module alters the default search box to provide additional search filtering options and control.

Custom Search contains a persistent cross-site scripting (XSS) vulnerability due to the fact that it fails to sanitize filter labels before display.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom search."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Custom Search 6.x-1.x versions prior to 6.x-1.12.
  • Custom Search 7.x-1.x versions prior to 7.x-1.14.

Drupal core is not affected. If you do not use the contributed Custom Search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Custom Search project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting

Drupal Contrib Security Announcements - Wed, 03/19/2014 - 17:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-033
  • Project: Nivo Slider (third-party module)
  • Version: 7.x
  • Date: 2014-March-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Nivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system.

The module doesn't sufficiently sanitize the title of images in the slider.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nivo slider".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Nivo Slider 7.x-2.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed Nivo Slider module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Nivo Slider project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-032 - Xapian integration - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/19/2014 - 16:08
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-032
  • Project: Xapian integration (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-March-19
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module enables you to use Xapian system to do searches of a Xapian index from within drupal.

The module doesn't verify node access rights when a node is loaded for display after the search happened in Xapian.

This vulnerability is mitigated by the fact that the system must be using a node access control module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Xapian integration 6.x-2.x versions prior to 6.x-2.2.
  • Xapian integration 7.x-2.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Xapian integration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Xapian integration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-031 - Webform Template - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/12/2014 - 20:30
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-031
  • Project: Webform Template (third-party module)
  • Version: 7.x
  • Date: 2014-March-12
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass
Description

This module enables you to copy webform config from one node to another.
The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform configuration from otherwise hidden nodes.
This vulnerability is mitigated by the fact that the system must be using a node access control module and an attacker must have a role that has access to edit nodes of the "webform template destination" type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Webform Template 6.x-1.x versions.
  • Webform Template 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Webform Template module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Webform Template module for Drupal 7.x, upgrade to a newer version. The issue is fixed as from 7.x-1.3.
  • If using an older version, be aware of the risks & consequences.

Note: For some people, the previous behavior was actually exactly how they used this module. To restore the original functionality, go to the settings ( admin/config/content/webform_template ) and check the "Defeat node access" checkbox.

Also see the Webform Template project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure

Drupal Contrib Security Announcements - Wed, 03/12/2014 - 14:16
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-030
  • Project: SexyBookmarks (third-party module)
  • Version: 6.x
  • Date: 2014-March-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

The SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service.

The module discloses the private files location when Drupal 6 is configured to use private files.

This vulnerability is mitigated by the fact that only sites using private files are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All SexyBookmarks 6.x-2.x versions.

Drupal core is not affected. If you do not use the contributed SexyBookmarks module, there is nothing you need to do.

Solution
  • If you use the SexyBookmarks module for Drupal 6.x you should disable it.
  • Users can also consider using the Shareaholic module which provides similar features. However, the Shareaholic module is currently only available for Drupal 7 so affected users would have to upgrade to Drupal 7 first.

Also see the SexyBookmarks project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-029 - Mime Mail - Access Bypass

Drupal Contrib Security Announcements - Wed, 03/05/2014 - 17:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-029
  • Project: Mime Mail (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-March-05
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

By default the module only allows files to be embedded or attached that are located in the public files directory.

The module doesn't sufficiently check the file location, considering similar paths in different roots as being located in the public files directory, possibly allowing to send arbitrary files as attachments without permission.

This vulnerability is mitigated by the fact that an attacker must be able to compose and send e-mail messages to an arbitrary address and the attached file's location must partly match with the system path of the public files directory.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mime Mail 6.x-1.x versions prior to 6.x-1.4.
  • Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta3.

Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Mime Mail project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-028 - Masquerade - Access bypass

Drupal Contrib Security Announcements - Wed, 03/05/2014 - 17:39
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-028
  • Project: Masquerade (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-March-05
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module allows a user with the right permissions to switch users.

When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the "Enter the username to masquerade as." autocomplete field in the masquerade block.

This vulnerability is mitigated by the fact that an attacker must have access to masquerade as another user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Masquerade 6.x-2.x versions prior to 6.x-1.8.
  • Masquerade 7.x-2.x versions prior to 7.x-1.0-rc6.

Drupal core is not affected. If you do not use the contributed Masquerade module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Masquerade project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-027 - NewsFlash Theme - XSS

Drupal Contrib Security Announcements - Wed, 03/05/2014 - 17:11
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-027
  • Project: NewsFlash (third-party theme)
  • Version: 6.x, 7.x
  • Date: 2014-March-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Newsflash is a theme that features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and lots more.

The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • NewsFlash 6.x-1.x versions prior to 6.x-1.7.
  • NewsFlash 7.x-1.x versions prior to 7.x-2.5.

Drupal core is not affected. If you do not use the contributed NewsFlash theme, there is nothing you need to do.

Solution

Install the latest version:

Also see the NewsFlash project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-026 - Mime Mail - Access bypass

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 19:13
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-026
  • Project: Mime Mail (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-26
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments.

The default key for the authentication of incoming messages is generated from a random number. On some platforms (such as Windows) the maximum value of this number is only 32767 which makes the generated key particularly vulnerable to a brute force attack.

This vulnerability is mitigated by the fact that the processing of incoming messages needs to be enabled on the site and the default key can be arbitrary changed by the site administrator.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mime Mail 6.x-1.x versions prior to 6.x-1.3.
  • Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta2.

Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.

Solution

Install the latest version:

These releases include a stronger authentication process for incoming messages which is backward incompatible. If you are using this feature, make sure to use the HMAC method with the new key generated during the update process to authenticate your messages.

Also see the Mime Mail project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-025 - Open Omega - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 17:23
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-025
  • Project: Open Omega (third-party theme)
  • Version: 7.x
  • Date: 2014-February-26
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This theme is a sub theme of omega used as as a sample theme for the open Public Distribution.

The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu.

This vulnerability is mitigated by the fact that that it is only present when this menu has items with restricted access that differ by role.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • openomega 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Open Omega module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Omega project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-024 - Content Lock - CSRF

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 16:28
Description

This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All 6.x Versions
  • All 7.x Versions

Drupal core is not affected. If you do not use the contributed Content locking (anti-concurrent editing) module, there is nothing you need to do.

Solution

Uninstall the module, it is no longer maintained .

Also see the Content locking (anti-concurrent editing) project page.

Reported by Fixed by

There is no fix for this issue.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-023 - Project Issue File Review - XSS

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 16:10
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-023
  • Project: Project Issue File Review (third-party module)
  • Version: 6.x
  • Date: 2014-February-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Project Issue File Review (PIFR) module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development.

Two scenarios were identified where the module does not sufficiently sanitize user provided input, exposing the 'server' component of the module to cross-site scripting vulnerabilities.

The first scenario is mitigated by the fact that an attacker must have a role with the 'manage PIFR environments' administrative permission.

The second scenario is mitigated by the fact that an attacker must be able to initiate testing of a patch specially crafted to exploit the vulnerability on the PIFR testing environment, have the testing execute successfully on a PIFR client, and have the client provide the testing results back to the PIFR server component.

As one common purpose of this module is to provide validation and testing of user-supplied patches, users of the PIFR module should always consider the 'PIFR client' component of this module as insecure and untrusted, by design. The 'PIFR client' component should always be maintained in a separate network environment, isolated from the 'PIFR server' component or other critical infrastructure.

There have been no known exploits of this vulnerability observed or reported on any servers running the PIFR module, including those within Drupal.org's automated testing environment.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Project_Issue_File_Review 6.x-2.x versions prior to 6.x-2.17.

Drupal core is not affected. If you do not use the contributed Project Issue File Review module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the PIFR module for Drupal 6.x, upgrade to Project Issue File Review 6.x-2.17. Be sure to review and consider the associated release notes for all intermediary releases when upgrading.

Also see the Project Issue File Review project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-022 - Slickgrid - Access bypass

Drupal Contrib Security Announcements - Wed, 02/19/2014 - 15:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-22
  • Project: Slickgrid (third-party module)
  • Version: 7.x
  • Date: 2014-February -22
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Slickgrid module is an implementation of the jQuery slickgrid plugin, a lightening fast JavaScript grid/spreadsheet. It defines a slickgrid view style, so all data can be output as an editable grid.

The module doesn't check access sufficiently, allowing users to edit and change field values of nodes they should not have access to change.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Slickgrid 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Slickgrid module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Slickgrid project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/19/2014 - 14:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-021
  • Project: Maestro (third-party module)
  • Version: 7.x
  • Date: 2014-February-19
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Maestro module enables you to create complex workflows, automating business processes.
The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create Drupal Roles or Organic Groups.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Maestro 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Maestro module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Maestro project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 21:13
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-020
  • Project: Drupal Commons (third-party distribution)
  • Version: 7.x
  • Date: 2014-02-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an "activity stream" containing messages about actions users take on the site.

In some cases, messages about content creation are not properly sanitized, leading to cross site scripting in those messages.

The vulnerability is mitigated in that only certain kinds of activity stream messages are affected, and not all arbitrary script can be executed.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commons 7.x-3.x versions prior to 7.x-3.9.

Drupal core is not affected. If you do not use the contributed Drupal Commons distribution, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commons project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 19:58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-019
  • Project: Easy Social (third-party module)
  • Version: 7.x
  • Date: 2014-February-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables you to add social sharing widgets to your content and pages.
The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer easy social".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Easy Social 7.x-2.x versions prior to 7.x-2.11.

Drupal core is not affected. If you do not use the contributed Easy Social module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Easy Social project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 16:45
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-018
  • Project: Webform (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-12
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.

The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 6.x-3.x versions prior to 6.x-3.19.
  • Webform 7.x-3.x versions prior to 7.x-3.19.
  • Webform 7.x-4.x versions prior to 7.x-4.0-beta2.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages