Feed aggregator

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

Project Security Advisories - Wed, 02/15/2017 - 12:21pm
Description

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Metatag 7.x-1.x versions prior to 7.x-1.21.

Drupal core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Metatag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

RESTful - Moderately Critical - Access Bypass - SA-CONTRIB-2017-018

Project Security Advisories - Wed, 02/15/2017 - 11:55am
Description

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn't validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked.

This vulnerability is mitigated by the fact that an attacker must be in possession of the credentials of a previously blocked user. It is also mitigated by the attacker only will have the access corresponding to the roles of the blocked user. Finally this only affects sites that use the sub-module, restful_token_auth.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.8.
  • RESTful 7.x-2.x versions prior to 7.x-2.16.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

Project Security Advisories - Wed, 02/15/2017 - 11:42am
Description

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.

The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not include a token.

This vulnerability is mitigated by the fact that an attacker must be targeting users with the 'clear flags' role. They must also discover a valid combination of flag, content and user IDs for flagged content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Flag clear module versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag clear project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

Project Security Advisories - Wed, 02/15/2017 - 11:30am
Description

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system.

The module doesn't sufficiently sanitise the name of the sort option which is displayed to users.

This vulnerability is mitigated by the fact that an attacker must have a role with permission 'administer search_api'.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API Sorts 7.x-1.x versions prior to 7.x-1.7

Drupal core is not affected. If you do not use the contributed Search API sorts module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API sorts project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Hotjar - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-015

Project Security Advisories - Wed, 02/15/2017 - 11:19am
Description

This module enables you to add the Hotjar tracking system to your website.

The module doesn't sufficiently sanitize the Hotjar ID when including tracking code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotjar".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hotjar 7.x-1.x versions before 7.x-1.2
  • Hotjar 8.x-1.x versions before 8.x-1.0

Drupal core is not affected. If you do not use the contributed Hotjar module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Hotjar module for Drupal 7.x upgrade to Hotjar 7.x-1.2
  • If you use the Hotjar module for Drupal 8.x upgrade to Hotjar 8.x-1.0

Also see the Hotjar project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x

OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014

Project Security Advisories - Wed, 02/08/2017 - 2:20pm
Description

This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • osf_querybuilder 7.x-3.3 versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OSF for Drupal module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OSF for Drupal project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013

Project Security Advisories - Wed, 02/08/2017 - 1:35pm
Description

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service.

The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information they may not be authorized to view.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Acquia Content Hub 8.x-1.x versions prior to 8.x-1.4.

Drupal core is not affected. If you do not use the contributed Acquia Content Hub module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Acquia Content Hub project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

Project Security Advisories - Wed, 02/08/2017 - 12:00pm
Description

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme.

When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them.

This is mitigated by the fact that the unprivileged users won't be able to actually visit the links.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • wetkit_omega 7.x-1.x versions prior to 7.x-1.15.

Drupal core is not affected. If you do not use the contributed Web Experience Toolkit: Omega module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Web Experience Toolkit: Omega project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

Project Security Advisories - Wed, 02/08/2017 - 11:45am
Description

This module enables you to add integration with Facebook API.

The module doesn't sufficiently sanitize incoming data from Facebook.

This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and recreate API endpoints.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Facebook Pull versions prior to 7.x-3.1.

Drupal core is not affected. If you do not use the contributed Facebook Pull module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Facebook Pull project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

Project Security Advisories - Wed, 02/08/2017 - 11:27am
Description

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's core_bridge submodule.

It provides two stream wrappers: "Storage API Public" and "Storage API Private".

The private storage API doesn't sufficiently performs access control allowing anonymous users to access the private storage files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Storage API stream wrappers 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Storage API stream wrappers module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Storage API stream wrappers project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009

Project Security Advisories - Wed, 02/01/2017 - 10:50am
Description

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements.

The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Better Exposed Filters 7.x-3.x versions prior to 7.x-3.4.

Drupal core is not affected. If you do not use the contributed Better Exposed Filters module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Better Exposed Filters project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

Project Security Advisories - Wed, 01/25/2017 - 1:21pm
Description

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed salescloud module, there is nothing you need to do.

Solution

If you use the salescloud module for Drupal 7.x you should uninstall it.

Also see the salescloud project page.

Reported by Fixed by

Not applicable

Updates

2017-01-29

The maintainer of this project has released an update that fixes the issue. Install version 7.x-1.5

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007

Project Security Advisories - Wed, 01/25/2017 - 1:18pm
Description

This module enables microblogging on Drupal sites using it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed microblog module, there is nothing you need to do.

Solution

If you use the microblog module for Drupal 7.x you should uninstall it.

Also see the microblog project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

Project Security Advisories - Wed, 01/25/2017 - 1:14pm
Description

This module enables you to use the OAuth 1.a protocol to authenticate requests.

The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed OAuth module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the OAuth module for Drupal 7.x, upgrade to OAuth 7.x-3.3

Also see the OAuth project page.

Reported by Fixed by Coordinated by Changelog
  • 2017-01-25: Released the advisory as unsupported module.
  • 2017-01-25: Updated the advisory as the module is supported again and a security release was made.
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

Project Security Advisories - Wed, 01/11/2017 - 11:25am
Description

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.

Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mailjet 7.x-2.x versions prior 7.x-2.9.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.9

Also see the project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

Project Security Advisories - Wed, 01/11/2017 - 11:23am
Description

OpenLucius is a work management platform for social communication, documentation, and projects.

The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery (CSRF) vulnerability.

The distribution does not sufficiently filter taxonomy term names before outputting them to HTML thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have permissions to insert malicious taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Openlucius 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed OpenLucius News module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OpenLucius News project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-003

Project Security Advisories - Wed, 01/11/2017 - 10:42am
Description

This module creates a new widget for taxonomy fields based on JQuery UI autocomplete.

The module doesn't sufficiently escape the entered taxonomy terms thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have the permission to edit a taxonomy field.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Autocomplete Deluxe 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Autocomplete Deluxe module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Autocomplete Deluxe project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002

Project Security Advisories - Wed, 01/04/2017 - 2:25pm
Description

This module enables you to to place advertisements on your site that are served by Google's DFP (Doubleclick for Publisher) service.

The module has multiple Cross Site Scripting (XSS) vulnerabilities due to not sufficiently escaped fields. These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "administer DFP".

The "administer DFP" permission is not marked as restricted.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • DFP 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Doubleclick for Publishers (DFP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Doubleclick for Publishers (DFP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Permissions by Term -- Critical - Multiple vulnerabilities - SA-CONTRIB-2017-001

Project Security Advisories - Wed, 01/04/2017 - 1:07pm
Description

The Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific user accounts and/or user roles.

Enabling the module unintentionally gives access to all unpublished nodes to anonymous users

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Permissions by Term 8.x-1.x versions prior to 8.x-1.11.

Drupal core is not affected. If you do not use the contributed Permissions by Term module, there is nothing you need to do.

Solution

If you use the Permissions by Term module for Drupal 8.x, upgrade to Permissions by Term 8.x-1.11.

Also see the Permissions by Term project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004

Security Public Service Announcements - Mon, 12/26/2016 - 12:50pm
Description

The PHPMailer and SMTP modules (and maybe others) add support for sending e-mails using the 3rd party PHPMailer library.

In general the Drupal project does not create advisories for 3rd party libraries. Drupal site maintainers should pay attention to the notifications provided by those 3rd party libraries as outlined in PSA-2011-002 - External libraries and plugins. However, given the extreme criticality of this issue and the timing of its release we are issuing a Public Service Announcement to alert potentially affected Drupal site maintainers.

CVE identifier(s) issued
  • CVE-2016-10033
Versions affected

All versions of the external PHPMailer library < 5.2.18.

Drupal core is not affected. If you do not use the contributed PHPMailer third party library, there is nothing you need to do.

Solution

Upgrade to the newest version of the phpmailler library. https://github.com/PHPMailer/PHPMailer

If you are using the SMTP module

The SMTP module has a modified third party PHPMailer library in its codebase. The modified version of the library is not affected.

A special thanks to Fabiano Sant'Ana, SMTP module maintainer, for working on this with short notice.

Reported by
  • Dawid Golunski
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Pages