Skip directly to content

Feed aggregator

SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 18:09
Description

The Contact Form Fields module enables you to create additional fields to site-wide contact form.

Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator's browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All Contact Form Fields versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed Contact form fields module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Contact form fields project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 18:05
Description

This module enables users to change the currency of Ubercart products.

When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart Currency Conversion 6.x-1.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Ubercart Currency Conversion module, there is nothing you need to do.

Solution

Also see the Ubercart Currency Conversion project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:59
Description

This module enables you to upload, convert and playback videos.

The module doesn't sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create video nodes" and that WYSIWYG video plugin must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Video 7.x-2.x versions from 7.x-2.2-beta1 to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Video module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the video module for Drupal 7.x-2.x, upgrade to Video 7.x-2.11

Also see the Video project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:52
Description

Room Reservations module enables you to manage a room reservation system.

The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with the permission "Administer the room reservations system".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Room Reservations 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Room Reservations module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Room Reservations project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-016 - Tadaa! - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:46
Description

Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development.

The module exposes multiple paths that were not protected against Cross Site Request Forgeries (CSRF). A malicious user could cause a user with "Use Tadaa!" permission to enable and disable modules or change variables by getting his browser to make a request to a specially-crafted URL while logged in.

Also, these callbacks had a destination query parameter that was not protected against open redirects.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Tadaa! 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Tadaa! module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Tadaa! module for Drupal 7.x, upgrade to Tadaa! 7.x-1.4

Also see the Tadaa! project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:39
Description

This module enables you to merge (synonymous) taxonomy terms among themselves.

The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must be able to create taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Term Merge 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Term merge module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Term merge project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-014 - Wishlist - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:31
Description

The Wishlist module enables authorized users to create wishlist nodes which describe items they would like for a special occasion. Also, it allows users to indicate their intention to purchase items for other users.

The module fails to sanitize user input in log messages, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access wishlists", and that only sites with dblog module enabled are affected (dblog module is enabled by default).

Also, the paths to manage wishlist purchase intentions do not confirm the intent of a user. A malicious user could cause another user to delete wishlist purchase intentions by getting their browser to make a request to a specially-crafted URL, a Cross-Site Request Forgery (CSRF).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Wishlist 7.x-2.x versions prior to 7.x-2.7.
  • Wishlist 6.x-2.x versions prior to 6.x-2.7.

Drupal core is not affected. If you do not use the contributed Wishlist Module module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Wishlist Module project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 19:33
Description

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types.

The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher report by getting the administrator's browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Log Watcher 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Log Watcher module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Log Watcher project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:57
Description

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form.

The module doesn't sufficiently sanitize the alternate field label in content types settings.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit fields on an entity.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Field Display Label 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Field Display Label module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Field Display Label project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:54
Description

This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon.

The report administration links are not properly protected from CSRF. A malicious user could cause an administrator to delete settings for hidden form elements or status messages by getting the administrator's browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Jammer 6.x-1.x versions prior to 6.x-1.8.
  • Jammer 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Jammer module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Jammer module for Drupal 6.x, upgrade to Jammer 6.x-1.8
  • If you use the Jammer module for Drupal 7.x, upgrade to Jammer 7.x-1.4

Also see the Jammer project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:34
Description

Todo Filter module provides an input filter to display check-boxes that can be used as a task list.

Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user's browser to make a request to a specially-crafted URL while the user was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Todo Filter 6.x-1.x versions prior to 6.x-1.1.
  • Todo Filter 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Todo Filter module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Todo Filter module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Todo Filter project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:25
Description

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field.

The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to add or edit any type of node and that the linkit node search plugin is enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Linkit 7.x-2.x versions prior to 7.x-2.7.
  • Linkit 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Linkit module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 7.x and Linkit 7.x-2.x, upgrade to Linkit 7.x-2.7
  • If you use the Linkit module for Drupal 7.x and Linkit 7.x-3.x, upgrade to Linkit 7.x-3.3

Also see the Linkit project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:20
Description

The Batch Jobs project is a scalable way to execute a list of tasks.

Links that take actions on batch jobs are not protected from Cross Site Request Forgery (CSRF). A malicious individual could cause a user that has permission to access a particular batch job (or an administrator) to dele the record of that batch job or possibly execute a task by getting the user's browser to make a request to a specially-crafted URL while the user is logged in.

This vulnerability only exists when batch job data exists - i.e. during the short period it is running or if it is retained (not deleted after completion of the batch job).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Batch Jobs 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Batch Jobs module,
there is nothing you need to do.

Solution

Make sure that all batch jobs are deleted or install the latest version:

Also see the Batch Jobs project page.

Reported by Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:15
Description

This module provides integration with the Cloudwords third-party service.

The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting (XSS) vulnerability.

Also, a menu callback was not protected against CSRF.

The XSS vulnerability is mitigated by the fact that an attacker must have a user with permissions to create nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Cloudwords for Multilingual Drupal 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed Cloudwords for Multilingual Drupal module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Cloudwords for Multilingual Drupal project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 18:14
Description

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings.

Some administration links were not properly protected from Cross Site Request Forgery (CSRF). A malicious user could cause an administrator to deploy or delete .htaccess files by getting the administrator's browser to request specially crafted URLS while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All Htaccess 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed htaccess module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the htaccess project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by
  • Jibus the module maintainer
Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-005 - WikiWiki - SQL injection

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 17:02
Description

WikiWiki module gives you one place to create, share and find wiki pages in your site.

The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • WikiWiki 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed WikiWiki module, there is nothing you need to do.

Solution

Install the latest version:

Also see the WikiWiki project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-004 - Context - Open Redirect

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 16:30
Description

Context allows you to manage contextual conditions and reactions for different portions of your site.

Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby leading to an Open Redirect vulnerability.

This vulnerability is mitigated by the fact that the victim must have the permission "administer contexts" and that Context UI module must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Context 7.x-3.x versions prior to 7.x-3.6

Drupal core is not affected. If you do not use the contributed Context module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Context project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 16:10
Description

The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter.

The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is not affected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer PHPlist".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • PHPlist Integration Module 6.x-1.x versions prior to 6.x-1.7.

Drupal core is not affected. If you do not use the contributed PHPlist Integration Module module, there is nothing you need to do.

Solution

Install the latest version:

Also see the PHPlist Integration Module project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 15:59
Description

Course module enables you to create e-learning courses with any number of requirements for completion.

The module doesn't sufficiently filter node title displays when being used in a course.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create course content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Course 7.x-1.x versions prior to 7.x-1.4
  • Course 6.x-1.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Course module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Course module for Drupal 7.x, upgrade to Course 7.x-1.4
  • If you use the Course module for Drupal 6.x, upgrade to Course 6.x-1.2

Also see the Course project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-001 - OPAC - Cross-Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/07/2015 - 15:39
Description

OPAC module enables you to create mappings between node fields and ILS record fields.

The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery (CSRF) attacks.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • OPAC 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed OPAC module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the OPAC module 7.x-2.0, upgrade to OPAC 7.x-2.3

Also see the OPAC project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages