Skip directly to content

Feed aggregator

SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect

Drupal Contrib Security Announcements - Wed, 02/04/2015 - 17:13
Description

Commerce WeDeal module enables you to do Commerce payments through the payment provider WeDeal.

The module doesn't sufficiently check a query parameter used for page redirection, thereby leading to an Open Redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Commerce WeDeal 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Commerce WeDeal module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce WeDeal project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-033 - Certify - Access bypass and information disclosure

Drupal Contrib Security Announcements - Wed, 01/28/2015 - 18:14
Description

Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions.

The module does not sufficiently check node access when showing (and creating) the PDF certificates. This can lead to users seeing certificates they should not have access to.

This vulnerability is mitigated by the fact that an attacker must have completed the conditions of the certificate.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Certify 6.x-2.x versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed Certify module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Certify project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-032 - Node Invite - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/28/2015 - 16:57
Description

Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events.

The module doesn't sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that the attacker must have permission to create or edit nodes configured to be used for RSVP.

Additionally, some URLs are not protected against CSRF. A malicious user can cause a user with the "node_invite_can_manage_invite" permission to re-enable node invitations by getting his browser to make a request to a specially-crafted URL.

Lastly, the module is not checking that some destination parameters are internal URLs, thereby leading to an Open Redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Node Invite 6.x-2.x versions prior to 6.x-2.5.

Drupal core is not affected. If you do not use the contributed Node Invite module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Node Invite project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-031 - GD Infinite Scroll - Multiple vulnerabilites

Drupal Contrib Security Announcements - Wed, 01/28/2015 - 16:37
Description

GD Infinite Scroll module enables you to use the "infinite scroll jQuery plugin : auto-pager" on custom pages.

Some links were not protected against CSRF. A malicious user could cause another user with the "edit gd infinite scroll settings" permission to delete settings by getting his browser to make a request to a specially-crafted URL.

Also, the module fails to sanitize user input in its admin page, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit gd infinite scroll settings".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected

All GD Infinite Scroll versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed GD Infinite Scroll module,
there is nothing you need to do.

Solution

Install the latest version, upgrade to GD Infinite Scroll 7.x-1.4

Also see the GD Infinite Scroll project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-030 - Amazon AWS - Access bypass

Drupal Contrib Security Announcements - Wed, 01/28/2015 - 16:27
Description

Amazon AWS module provides integration with Amazon Web Services (AWS).

A malicious user could potentially guess an access token and trigger the creation of new backups by making a request to a specially-crafted URL. If the number of stored backups was limited, an attacker could exceed the limit by calling the URL multiple times, thereby resulting in the loss of older backup states that would get replaced with the newly generated ones.

This vulnerability is mitigated by the fact that an attacker must know the AWS Access Key Id (these are not secret).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Amazon AWS versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Amazon AWS module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Amazon AWS project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 20:01
Description

This module enables you to add configurable corners to your site.

A malicious user can cause an administrator to enable and disable corners by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Corner module

Drupal core is not affected. If you do not use the contributed Corner module,
there is nothing you need to do.

Solution

If you use the Corner module you should uninstall it.

Also see the Corner project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by

Not applicable.

Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 19:49
Description

Shibboleth Authentication module allows users to log in and get permissions based on federated (SAML2) authentication.

The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Shibboleth Authentication 6.x-4.x versions prior to 6.x-4.1.
  • Shibboleth Authentication 7.x-4.x versions prior to 7.x-4.1.

Drupal core is not affected. If you do not use the contributed Shibboleth authentication module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Shibboleth Authentication module for Drupal 6.x, upgrade to 6.x-4.1
  • If you use the Shibboleth Authentication module for Drupal 7.x, upgrade to 7.x-4.1

Also see the Shibboleth authentication project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 16:20
Description

The Quizzler module allows you to create online quizzes and tests. Quizzes are nodes with questions attached.

The module does not sanitize user input in the node title when displaying it on the page, allowing a malicious user to inject code, a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to create nodes or edit nodes that are assigned as quizzes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions prior to 7.x-1.16.

Drupal core is not affected. If you do not use the contributed Quizzler module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Quizzler project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 16:07
Description

This module enables you to create blocks of nodes carrying a given taxonomy term.

The module doesn't sufficiently escape term names in the blocks it builds leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy" or the ability to create terms in some other way.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Taxonews 7.x-1.x versions prior to 7.x-1.1.
  • Taxonews 6.x-1.x versions prior to 6.x-1.2.

Drupal core is not affected. If you do not use the contributed Taxonews module,
there is nothing you need to do.

Solution

Install the latest version of Taxonews module:

Also see the Taxonews project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by
  • FGM the module maintainer
Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 15:39
Description

Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment.

Some links were not protected against CSRF. A malicious user could cause an administrator to restore, publish and unpublish patterns by getting the administrator's browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Patterns 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Patterns module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Patterns project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 15:30
Description

Classified Ads module enables administrators to create classified ads in various categories.

The module doesn't correctly escape the category names in its administration user interface.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Classified Ads 6.x-3.x versions prior to 6.x-3.1.
  • Classified Ads 7.x-3.x versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Classified Ads module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Classified Ads project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/21/2015 - 15:28
Description

The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services (SOAP) and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco repository.

Some links from Alfresco Browser were not properly protected from CSRF. A malicious user could cause a user to delete alfresco nodes by getting the user's browser to make a request to a specially-crafted URL while the user was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Alfresco 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Alfresco module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Alfresco project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 19:12
Description

This module displays node author information in a jQuery slider.

The module doesn't sufficiently sanitize Profile2 fields in a provided block.

This vulnerability is mitigated by the fact that an attacker must have a user account allowed to edit profile fields.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of nodeauthor module.

Drupal core is not affected. If you do not use the contributed nodeauthor module,
there is nothing you need to do.

Solution

If you use the nodeauthor module you should uninstall it.

Also see the nodeauthor project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by

Not applicable.

Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 19:01
Description

The Content Analysis module is an API designed to help modules that need to analyze content.

The module fails to sanitize user input in log messages, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only sites with dblog module enabled are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Content Analysis 6.x-1.x versions prior to 6.x-1.7.

Drupal core is not affected. If you do not use the contributed Content Analysis module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Content Analysis project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 18:09
Description

The Contact Form Fields module enables you to create additional fields to site-wide contact form.

Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator's browser to make a request to a specially-crafted URL while the administrator was logged in.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All Contact Form Fields versions prior to 6.x-2.3.

Drupal core is not affected. If you do not use the contributed Contact form fields module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Contact form fields project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 18:05
Description

This module enables users to change the currency of Ubercart products.

When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ubercart Currency Conversion 6.x-1.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Ubercart Currency Conversion module, there is nothing you need to do.

Solution

Also see the Ubercart Currency Conversion project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:59
Description

This module enables you to upload, convert and playback videos.

The module doesn't sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create video nodes" and that WYSIWYG video plugin must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Video 7.x-2.x versions from 7.x-2.2-beta1 to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Video module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the video module for Drupal 7.x-2.x, upgrade to Video 7.x-2.11

Also see the Video project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:52
Description

Room Reservations module enables you to manage a room reservation system.

The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with the permission "Administer the room reservations system".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Room Reservations 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Room Reservations module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Room Reservations project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-016 - Tadaa! - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:46
Description

Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development.

The module exposes multiple paths that were not protected against Cross Site Request Forgeries (CSRF). A malicious user could cause a user with "Use Tadaa!" permission to enable and disable modules or change variables by getting his browser to make a request to a specially-crafted URL while logged in.

Also, these callbacks had a destination query parameter that was not protected against open redirects.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Tadaa! 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Tadaa! module,
there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Tadaa! module for Drupal 7.x, upgrade to Tadaa! 7.x-1.4

Also see the Tadaa! project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/14/2015 - 17:39
Description

This module enables you to merge (synonymous) taxonomy terms among themselves.

The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must be able to create taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Term Merge 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Term merge module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Term merge project page.

Reported by
  • Pere Orga provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Pere Orga provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages