MenuMenu

Feed aggregator

Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

Core Security Advisories - Mon, 07/18/2016 - 9:53am
Description

Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

CVE identifier(s) issued
  • CVE-2016-5385
Versions affected
  • Drupal core 8.x versions prior to 8.1.7
Solution

Install the latest version:

  • If you use Drupal 8.x, upgrade to Drupal core 8.1.7
  • If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:
    <IfModule mod_headers.c> RequestHeader unset Proxy </IfModule>

We also suggest mitigating it as described here: https://httpoxy.org/

Also see the Drupal core project page.

What if I am running Drupal core 8.0.x?

Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes.

Why is this being released Monday rather than Wednesday?

The Drupal Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than Drupal, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

Drupal 8.x core release on Monday -- PSA-2016-002

Security Public Service Announcements - Sun, 07/17/2016 - 12:54pm
  • Advisory ID: DRUPAL-PSA-2016-002
  • Project: Drupal
  • Version: 8.x
  • Date: 2016-July-17
  • Security risk: TBD
  • Vulnerability: TBD
Description

We will be doing a Drupal 8 core patch release on Monday, July 18th. This will occur between 14:15 UTC and 19:00 UTC.

There will not be a Drupal 7 release during this window.

Why is this release being issued?

The Drupal security team has learned that a third-party Drupal 8 dependency will be making a security release on Monday, July 18th and in accordance we will be making a Drupal 8 release soon after. We will not disclose details of the third-party update in advance of that release and cannot respond to requests for further information. This security release is for the dependency only and does not affect Drupal 7 sites. Other mitigating factors will be included with our published SA.

What about the regularly scheduled release window on Wednesday, July 20?

We are moving the regularly scheduled window two days earlier to provide the third-party dependency update, so this replaces that window.

There will not be another core release on Wednesday, July 20th.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

Project Security Advisories - Wed, 07/13/2016 - 11:01am
Description

This module enables you to expose Drupal entities as RESTful web services.

RESTWS alters the default page callbacks for entities to provide additional functionality.

A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.

There are no mitigating factors. This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful Web Services 7.x-2.x versions prior to 7.x-2.6.
  • RESTful Web Services 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful Web Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

Project Security Advisories - Wed, 07/13/2016 - 10:59am
Description

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.

There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Coder module 7.x-1.x versions prior to 7.x-1.3.
  • Coder module 7.x-2.x versions prior to 7.x-2.6.

Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.

Solution

Two solutions are possible.

A first option is to remove the module from all publicly available websites:

  • The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.

A second option is to install the latest version:

Also see the Coder project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

Project Security Advisories - Wed, 07/13/2016 - 10:58am
Description

The Webform Multiple File Upload module allows users to upload multiple files on a Webform.

The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.

This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE.

Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

Webform Multifile 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform Multiple File Upload project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Security Public Service Announcements - Tue, 07/12/2016 - 11:18am
Description

There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations.

Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

Project Security Advisories - Wed, 07/06/2016 - 9:33am
Description

This module enables you to authenticate with Instagram's API via an intermediary service (instagram.yanniboi.com).
The module doesn't sufficiently advise that your authentication tokens could be intercepted.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Instagram Block 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Instagram Block module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Instagram Block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002

Core Security Advisories - Wed, 06/15/2016 - 2:45pm
Description Saving user accounts can sometimes grant the user all roles (User module - Drupal 7 - Moderately Critical)

A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the site. This would typically result in the user gaining administrative access.

This issue is mitigated by the fact that it requires contributed or custom code that performs a form rebuild during submission of the user profile form.

Views can allow unauthorized users to see Statistics information (Views module - Drupal 8 - Less Critical)

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

The same vulnerability exists in the Drupal 7 Views module (see SA-CONTRIB-2016-036).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 7.x versions prior to 7.44
  • Drupal core 8.x versions prior to 8.1.3
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Saving user accounts can sometimes grant the user all roles:

Views can allow unauthorized users to see Statistics information:

Fixed by

Saving user accounts can sometimes grant the user all roles:

Views can allow unauthorized users to see Statistics information:

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x

Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

Project Security Advisories - Wed, 06/15/2016 - 2:42pm
Description

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

The same vulnerability exists in the Drupal 8 core Views module SA-CORE-2016-002

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views 7.x-3.x versions prior to 7.x-3.14.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035

Project Security Advisories - Wed, 06/08/2016 - 1:21pm
Description

This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module.

The module doesn't sufficiently sanitize titles when presenting them on this interface.

This vulnerability is mitigated by the fact that an attacker must have have the ability to use outline designer, which is generally reserved for content authors and system admins.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Outline Designer 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Outline Designer module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Outline Designer project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Node Embed - Denial of Service - Less critical - SA-CONTRIB-2016-034

Project Security Advisories - Wed, 06/08/2016 - 10:23am
Description

This module enables you to embed the contents of one node in the body field of another.

The module doesn't sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content which allows other content to be embedded.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Node Embed 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Node Embed module, there is nothing you need to do.

Solution
  • If you use the Node Embed module for Drupal 7.x you should uninstall it.

Also see the Node Embed project page.

Reported by Fixed by
  • Not applicable.
Coordinated by
  • Not applicable.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

Project Security Advisories - Wed, 06/08/2016 - 9:58am
Description

This module enables you to make Panels pages (and other pages managed by CTools' Page Manager submodule) indexible and searchable through the standard Search module provided in Drupal core.

The module doesn't block access to Page Manager pages which have been disabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Page Manager Search 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Page manager search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Page manager search project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033

Project Security Advisories - Wed, 06/08/2016 - 9:56am
Description

This module enables you to expose content, users and comments via a JSON API.
The module contains multiple vulnerabilities including

  • Node access bypass
  • Comment access bypass
  • User enumeration
  • Field access bypass
  • User registration bypass
  • Blocked user login
  • Session name guessing
  • Session enumeration

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed REST JSON module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed REST/JSON module, there is nothing you need to do.

Solution

If you use the REST JSON module for Drupal 7.x you should uninstall it.

Also see the REST/JSON project page.

Reported by Fixed by

Not applicable

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031

Project Security Advisories - Wed, 06/01/2016 - 9:14am
Description

This module enables you to enter opening hours for locations in a highly detailed way.

The module doesn't sufficiently escape input data from user input.

This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit opening hours for content”, or have permissions to edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Opening Hours 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Opening hours module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Opening hours project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

Project Security Advisories - Wed, 05/25/2016 - 11:50am
Description

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • XML Sitemap 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed XML Sitemap module, there is nothing you need to do.

Solution

Install the latest version:

Also see the XML Sitemap project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Views Megarow - Critical - Access Bypass - SA-CONTRIB-2016-029

Project Security Advisories - Wed, 05/18/2016 - 1:54pm
Description

This module enables you to display content from any path within a list of content inside a view or form. The content is displayed in a modal-like format when the user clicks on the "view link" or any custom links created.

The module doesn't sufficiently check access permissions when the user clicks on a views megarow link.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views megarow 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Views Megarow module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views Megarow project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

Project Security Advisories - Wed, 05/18/2016 - 1:54pm
Description

This module enables you to allow users to enter a special registration code in order to sign up for the site.

The module doesn't sufficiently validate the entered registration code

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Registration Codes 7.x-2.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Registration codes project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

Project Security Advisories - Wed, 05/18/2016 - 1:29pm
Description

This module enables you to view dropbox files in your Drupal site.

The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.

Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.

The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All dropbox_client 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the dropbox_client module for Drupal 7.x, upgrade to dropbox_client 7.x-4.0
  • Versions 3.x is no longer supported

Also see the Dropbox Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

Project Security Advisories - Wed, 05/04/2016 - 12:43pm
Description

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content.

When combined with the Open Atrium Mailhandler app, incoming email replies to notifications can be processed as new comments. Notifications generated from these imported replies can be sent to the wrong list of users.

This vulnerability is mitigated by the fact that it depends on the specific configuration of the mailhandler that is processing notifications.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • oa_notifications 7.x-2.x versions prior to 7.x-2.30.
  • Open Atrium 7.x-2.x versions prior to 7.x-2.63.

Drupal core is not affected. If you do not use the contributed Open Atrium Notifications module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium Notifications project page.

Reported by
  • Mike Potter provisional member of the Drupal Security Team and Open Atrium maintainer.
Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

Project Security Advisories - Wed, 05/04/2016 - 12:06pm
Description

This module enables you to create fieldable entities that have special integration with Panels.

The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor (IPE), allowing for specially crafted XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to create FPP objects, and then either:

  • a user with permission to use the Panels In-Place-Editor (IPE) must visit a page that the FPP object is added to; or
  • a user with permission to use the Panels admin interface must edit a page the FPP object is added to.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Pages