MenuMenu

Feed aggregator

Views Megarow - Critical - Access Bypass - SA-CONTRIB-2016-029

Project Security Advisories - Wed, 05/18/2016 - 1:54pm
Description

This module enables you to display content from any path within a list of content inside a view or form. The content is displayed in a modal-like format when the user clicks on the "view link" or any custom links created.

The module doesn't sufficiently check access permissions when the user clicks on a views megarow link.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views megarow 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Views Megarow module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views Megarow project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

Project Security Advisories - Wed, 05/18/2016 - 1:54pm
Description

This module enables you to allow users to enter a special registration code in order to sign up for the site.

The module doesn't sufficiently validate the entered registration code

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Registration Codes 7.x-2.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Registration codes project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

Project Security Advisories - Wed, 05/18/2016 - 1:29pm
Description

This module enables you to view dropbox files in your Drupal site.

The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.

Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.

The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All dropbox_client 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the dropbox_client module for Drupal 7.x, upgrade to dropbox_client 7.x-4.0
  • Versions 3.x is no longer supported

Also see the Dropbox Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

Project Security Advisories - Wed, 05/04/2016 - 12:43pm
Description

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content.

When combined with the Open Atrium Mailhandler app, incoming email replies to notifications can be processed as new comments. Notifications generated from these imported replies can be sent to the wrong list of users.

This vulnerability is mitigated by the fact that it depends on the specific configuration of the mailhandler that is processing notifications.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • oa_notifications 7.x-2.x versions prior to 7.x-2.30.
  • Open Atrium 7.x-2.x versions prior to 7.x-2.63.

Drupal core is not affected. If you do not use the contributed Open Atrium Notifications module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Atrium Notifications project page.

Reported by
  • Mike Potter provisional member of the Drupal Security Team and Open Atrium maintainer.
Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

Project Security Advisories - Wed, 05/04/2016 - 12:06pm
Description

This module enables you to create fieldable entities that have special integration with Panels.

The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor (IPE), allowing for specially crafted XSS attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to create FPP objects, and then either:

  • a user with permission to use the Panels In-Place-Editor (IPE) must visit a page that the FPP object is added to; or
  • a user with permission to use the Panels admin interface must edit a page the FPP object is added to.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.10.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

EPSA Crop - Image Cropping - Critical -XSS - SA-CONTRIB-2016-024 - Unsupported

Project Security Advisories - Wed, 04/20/2016 - 12:51pm
Description

EPSA Crop is a module that allows a user to choose coordinates for different presets on an image. If a user defines coordinates EPSACrop will override the Imagecache process and will set new coordinates.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of EPSA Crop module.

Drupal core is not affected. If you do not use the contributed EPSA Crop module, there is nothing you need to do.

Solution

If you use the EPSA Crop module for Drupal 7.x you should uninstall it.

Also see the EPSA Crop project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023

Project Security Advisories - Wed, 04/20/2016 - 10:24am
Description

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups.

Under the certain field configurations a user is able to subscribe without approval to group that requires approving the membership. Depending on permissions, the user may be able to post content to that group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Organic groups 7.x-2.x versions prior to 7.x-2.9.

Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Organic groups project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

Project Security Advisories - Wed, 04/20/2016 - 9:31am
Description

This module enables you to build searches using a wide range of features, data sources and backends.

Search index not updated by node access changes

The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing node access are used. This could lead to nodes or comments being listed in search results to which the visitor viewing the results should not have access.

This vulnerability is mitigated by the fact that this only occurs in uncommon setups, and that only nodes that were already accessible to the user at some point can be displayed.

XSS vulnerability in Views search results

The module doesn't sufficiently sanitize field values returned directly from the search server (e.g., Solr).

This vulnerability is mitigated by the fact that several components/modules need to be configured in a specific way to allow this vulnerability to be exploited.

Doesn't check for "access comments" permission when searching for comments

The module doesn't sufficiently check the user's permissions when comments are searched.

This vulnerability is mitigated by the fact that it only occurs in specific site configurations:

  • A search index with item type "Comment".
  • Using the "Access check" data alteration for protection.
  • The site allowing certain users to view content (nodes), but not comments.
  • A search page for the comment index must be accessible for these users.
CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API 7.x-1.x versions prior to 7.x-1.18.

Drupal core is not affected. If you do not use the contributed Search API module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021

Project Security Advisories - Wed, 04/13/2016 - 2:30pm
Description

This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic.

The module doesn't prevent form cache from leaking between anonymous users which could result in information disclosure, where one user sees form data generated for another.

This vulnerability is mitigated by the fact that it only affects AJAX forms which expose sensitive data to anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Boost 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Boost module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Boost module for Drupal 7.x, upgrade to Boost 7.x-1.1

Also see the Boost project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020

Project Security Advisories - Wed, 04/13/2016 - 11:50am
Description

This module enables you to organize and export configuration data.

The module doesn't sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the "manage features" permission to request a special URL, it could lead to clearing the cache repeatedly and a Denial of Service (DoS) attack.

This vulnerability is mitigated by the fact that the admin with the "manage features" permissions must be logged in when they request the special URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Features 7.x-2.x versions prior to 7.x-2.9.
  • Features 7.x-1.x which is no longer supported.

Drupal core is not affected. If you do not use the contributed Features module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Features project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

Project Security Advisories - Wed, 04/06/2016 - 12:16pm
Description

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the Commerce Product module returns a JSON array of matching product SKUs / titles for you to select.

The module doesn't sufficiently restrict access to the autocomplete path under the default configuration of the field. A visitor to the website could browse directly to the autocomplete path to see a list of products that would ordinarily be returned to the autocomplete JavaScript to populate the autocomplete dropdown. Default parameters on the function used to generate this list cause it to bypass the product access control check that would ordinarily restrict product visibility to end users based on your site's permissions.

This vulnerability is mitigated by the fact that an attacker must know what the autocomplete path is and what arguments to include in it to generate a valid response based on your site's architecture. Additionally, in most eCommerce sites, product SKUs and titles are not by themselves considered private information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.13.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commerce project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

Project Security Advisories - Wed, 04/06/2016 - 11:13am
Description

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.

Open redirect

The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an open redirect vulnerability. This vulnerability can be used by any attacker crafting a special login link.

Information disclosure

The module doesn't check the tokens in the "destination" redirect value allowing an attacker to specify arbitrary tokens. Any token value is exposed in the redirect URL.

This vulnerability is mitigated by the fact that there must be secret data on the site that is exposed through the token system (for example an access protected field). An attacker must have a knowledge on what fields/tokens contain secret information.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • HybridAuth Social Login 7.x-2.x versions prior to 7.x-2.15.

Drupal core is not affected. If you do not use the contributed HybridAuth Social Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the HybridAuth Social Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Login one time - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-017

Project Security Advisories - Wed, 03/23/2016 - 10:45am
Description

The Login one time module provides the ability to email one-time login links to users.

The module doesn't sufficiently sanitize user input supplied to an ajax callback function.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Login one time 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Login one time module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Login one time project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016

Project Security Advisories - Wed, 03/16/2016 - 11:02am
Description

This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast.

The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is requested resulting in folders being created in the public files directory where the module stores its json files. This vulnerability can be exploited to perform a DOS-attack by depletion of available inodes on the webserver.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fast Autocomplete 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Fast Autocomplete module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fast Autocomplete project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015

Project Security Advisories - Wed, 03/09/2016 - 3:10pm
Description

When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF.

This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creation tools installed on the server (pdfdraw, convert or mudraw).
It could also be partially mitigated by using the transliteration module for uploaded files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Scald File module 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Scald File Provider module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Scald File Provider project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Fieldable Panels Panes - Moderately Critical - Access Bypass - SA-CONTRIB-2016-014

Project Security Advisories - Wed, 03/02/2016 - 10:24am
Description

This module enables you to create fieldable entities that have special integration with Panels.

The module doesn't check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using the private file storage system.

This vulnerability is mitigated by the fact that it is an uncommon use case for the module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Node Notify - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-013 - Unsupported

Project Security Advisories - Wed, 03/02/2016 - 9:41am
Description

Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users.

The module doesn't sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability.

Additionally, some paths were not protected against CSRF. An attacker could cause another user to subscribe and unsubscribe notifications by getting the user's browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Node Notify module.

Drupal core is not affected. If you do not use the contributed Node Notify module, there is nothing you need to do.

Solution

If you use the Node Notify module for Drupal 7.x you should uninstall it.

Also see the Node Notify project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Hubspot CTA - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-012 - Unsupported

Project Security Advisories - Wed, 03/02/2016 - 9:37am
Description

This module enables you to embed a Hubspot CTA buttons widget in a Bean block.

The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn't sufficiently sanitise these parameters, allowing a potential cross-site scripting attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer beans" or "Hubspot Calls-to-action: Add Bean".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Hubspot CTA module.

Drupal core is not affected. If you do not use the contributed Hubspot CTA module, there is nothing you need to do.

Solution

If you use the Hubspot CTA module you should uninstall it.

Also see the Hubspot CTA project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

Project Security Advisories - Wed, 03/02/2016 - 9:07am
Description

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly count views of cached pages.

The module doesn't sufficiently protect against cross-site request forgery when it comes to the configuration reset link on its dashboard page. If the reset link were to be sent to a user with the right permissions, it could lead to an unwanted reset of the module's settings (including its OAuth credentials).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Google Analytics Counter 7.x-3.x versions prior to 7.x-3.2.

Drupal core is not affected. If you do not use the contributed Google Analytics Counter module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Google Analytics Counter project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

Project Security Advisories - Wed, 03/02/2016 - 9:01am
Description

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology (OCSIT), which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search one or many sites. Read more at http://search.usa.gov/program .

The module may index unpublished content making content accessible through search.

This vulnerability is mitigated by the fact that it only affects unpublished content that has been saved and content that was published and subsequently unpublished.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • usasearch 7.x-5.x versions prior to 7.x-5.1.

Drupal core is not affected. If you do not use the contributed DigitalGov Search (machine name: USASearch) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the DigitalGov Search (machine name: USASearch) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Pages