Skip directly to content

Feed aggregator

Views - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-103

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 16:55
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

Access bypass due cache inconsistency

Due to an issue in the caching mechanism of Views it's possible that configured filters loose their effect.
This can lead to exposure of content that otherwise would be hidden from visitors.
This vulnerability is mitigated by the fact that it can't be exploited directly but occurs when certain prerequisites meet.
Systems that use in-memory cache backends like redis / memcache are more likely to be affected by this issue. This is due the common strategy used to free cache space if the configured memory limit of the cache is reached.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions from 7.x-3.5 to 7.x-3.11.

Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.11

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Smart Trim- Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 16:50
Description

This module implements a new field formatter for textfields (text, text_long, and text_with_summary, if you want to get technical) that improves upon the "Summary or Trimmed" formatter built into Drupal 7.

The module doesn't sufficiently filter user input via the field settings form.

This vulnerability is mitigated by the fact that only administrative users who can administer field types can exploit it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Smart Trim 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Smart Trim module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Smart Trim project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 15:11
Description

The MailChimp module allows you to create and manage mailing lists via MailChimp's API.

The MailChimp module does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer mailchimp" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • MailChimp 7.x-3.x versions prior to 7.x-3.3.
  • MailChimp 7.x-2.x all versions.
  • MailChimp 7.x-1.x all versions.

Drupal core is not affected. If you do not use the contributed MailChimp module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the MailChimp project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

Drupal Contrib Security Announcements - Wed, 04/29/2015 - 15:07
Description

This module enables you to integrate your Drupal site with TechSmith Relay software.
The module doesn't sufficiently sanitize user input under the meta access tab.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • camtasia_relay 6.x-2.x versions prior to 6.x-3.2.
  • camtasia_relay 7.x-2.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Camtasia Relay module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Camtasia Relay project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Node Template - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-099

Drupal Contrib Security Announcements - Wed, 04/22/2015 - 15:18
Description

Node Template module enables you to define any node as a node template and it can be duplicated later.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Node Template module.

Drupal core is not affected. If you do not use the contributed Node Template module, there is nothing you need to do.

Solution

If you use the Node Template module you should uninstall it.

Also see the Node Template project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Keyword Research - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-098

Drupal Contrib Security Announcements - Wed, 04/22/2015 - 15:12
Description

Keyword Research module enables you to tag and prioritize keywords on a site and node level basis.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user with "kwresearch admin site keywords" permission to create, delete and set priorities to keywords by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Keyword Research 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Keyword Research module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Keyword Research project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097

Drupal Contrib Security Announcements - Wed, 04/22/2015 - 15:04
Description

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

The module may store user passwords in plain text.

This vulnerability is mitigated by the fact that the option "Ask user for a password when registering" must be enabled. The information is disclosed to anyone with access to the database, "administer users" or "administer site configuration" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Drupal Contrib Security Announcements - Wed, 04/15/2015 - 18:18
Description

Services module enables you to expose an API to third party systems.

Access bypass (file upload and execution)

The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File > Create" resource must be enabled and an attacker must have a role with the Services "Save file information" permission.

Private fields information displayed

Services does not check field_access when displaying entities so some private field information may be displayed. This vulnerability only affects sites using the field access system (for example, via the Field Permissions module) to hide fields from anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

Services 7.x-3.x versions prior to 7.x-3.12.

Drupal core is not affected. If you do not use the contributed Services module,
there is nothing you need to do.

Solution

Install the latest version of Services: Services 7.x-3.12.

As a reminder, Services for Drupal 6 is no longer maintained.

Also see the Services project page.

Reported by Access Bypass/file upload Private fields information displayed Fixed by Access Bypass/file upload Private fields information displayed Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095

Drupal Contrib Security Announcements - Wed, 04/15/2015 - 14:30
Description

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as administer taxonomy.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Display Suite version 7.x-2.7. Versions prior to Display Suite 7.x-2.7 are not vulnerable.

Drupal core is not affected. If you do not use the contributed Display Suite module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Display Suite project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

Drupal Contrib Security Announcements - Wed, 04/08/2015 - 15:53
Description

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission.

The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to delete reports by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CiviCRM private report 6.x-1.x versions prior to 6.x-1.2.
  • CiviCRM private report 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CiviCRM private report module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CiviCRM private report project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093

Drupal Contrib Security Announcements - Wed, 04/01/2015 - 17:16
Description

This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file (comma separated file).

Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to request certain URLs, thereby leading to a Cross Site Request Forgery (CSRF) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • User Import 6.x-2.x versions prior to 6.x-4.4
  • User Import 7.x-2.x versions prior to 7.x-2.3

Drupal core is not affected. If you do not use the contributed User Import module, there is nothing you need to do.

Solution

Install the latest version:

Also see the User Import project page.

Reported by Fixed by
  • Robert Castelo module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092

Drupal Contrib Security Announcements - Wed, 04/01/2015 - 16:11
Description

This module enables you to import content from a web page by scraping its Open Graph data.

The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import og_tag_importer" permission to create content regardless of other permissions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • og_tag_importer 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Open Graph Importer module,
there is nothing you need to do.

Solution

Disable the module. There is no safe version of the module to use.

Also see the Open Graph Importer project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091

Drupal Contrib Security Announcements - Wed, 04/01/2015 - 15:06
Description

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.

The module doesn't sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This is mitigated by the fact that only sites with the option "Append the keywords passed by the user to the list" disabled are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Current Search Links 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Current Search Links project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090

Drupal Contrib Security Announcements - Wed, 04/01/2015 - 14:52
Description

The Password Policy module allows enforcing restrictions on user passwords by defining password policies.

The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that only sites with a policy that uses the username constraint are affected. Also, only sites importing users from an external source (like distributed authentication) may allow non-standard usernames that might contain malicious characters, as Drupal core has validation when creating users via the user interface.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.11.
  • Password Policy 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed Password policy module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Password policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089

Drupal Contrib Security Announcements - Wed, 04/01/2015 - 14:48
Description

EntityBulkDelete module allows you to delete entities in bulk using the Batch API.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must be allowed to create/edit comments, create/edit taxonomy terms or create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • EntityBulkDelete 7.x-1.0

Drupal core is not affected. If you do not use the contributed EntityBulkDelete module, there is nothing you need to do.

Solution

Install the latest version:

Also see the EntityBulkDelete project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088

Drupal Contrib Security Announcements - Wed, 04/01/2015 - 14:43
Description

Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer image styles".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Imagefield Info 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Imagefield Info module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Imagefield Info project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-087

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:24
Description

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit Ubercart products or webforms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Ubercart Webform Checkout Pane module

Drupal core is not affected. If you do not use the contributed Ubercart Webform Checkout Pane module, there is nothing you need to do.

Solution

If you use the Ubercart Webform Checkout Pane module you should uninstall it.

Also see the Ubercart Webform Checkout Pane project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Decisions - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-086

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:20
Description

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools.

The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Decisions module

Drupal core is not affected. If you do not use the contributed Decisions module, there is nothing you need to do.

Solution

If you use the Decisions module you should uninstall it.

Also see the Decisions project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Invoice - Moderately Critical - Multiple vulnerabilities - Unsupported - SA-CONTRIB-2015-085

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:14
Description

Invoice module allows you to create invoices in Drupal.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create, delete and alter invoices by getting their browser to make a request to a specially-crafted URL.

The XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own invoices" and be able to create/edit nodes of the "Invoice" content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Invoice module

Drupal core is not affected. If you do not use the contributed Invoice module, there is nothing you need to do.

Solution

If you use the Invoice module you should uninstall it.

Also see the Invoice project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Drupal Contrib Security Announcements - Wed, 03/25/2015 - 16:08
Description

Linear Case module allows you to organize Closed Question documents in case studies.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to edit/create Linear Case nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Linear Case 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Linear Case module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Linear Case project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

Pages