Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 2 hours 14 min ago

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Wed, 08/15/2018 - 8:32am
Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Wed, 08/08/2018 - 1:14pm
Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

Also see the PHP Configuration project page.

Reported By: Fixed By: Coordinated By: 
  • mpotter of the Drupal Security Team

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Wed, 07/25/2018 - 8:38am
Project: Select (or other)Date: 2018-July-25Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access to edit a field that is displayed through the "Select or other" formatter.

Solution: 

Also see the Select (or other) project page.

Reported By: Fixed By: Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

    Wed, 07/18/2018 - 11:31am
    Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

    This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

    The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

    Solution: 

    Also see the XML sitemap project page.

    Reported By: Fixed By: Coordinated By: 

    Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

    Wed, 07/18/2018 - 10:39am
    Project: Taxonomy Entity QueueDate: 2018-July-18Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: SQL InjectionDescription: 

    This module enables you to create an entityqueue based on a taxonomy.

    The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

    This vulnerability is mitigated by the fact that an attacker must have a role with the "administer entity queue taxonomy" permission.

    Solution: 

    Install the latest version:

    Also see the Taxonomy Entity Queue project page.

    Reported By: Fixed By: Coordinated By: 

    Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

    Wed, 07/11/2018 - 10:41am
    Project: TapestryDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography...

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the Tapestry project page.

    Reported By: Fixed By: Coordinated By: 

    litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

    Wed, 07/11/2018 - 10:38am
    Project: litejazzDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the litejazz project page.

    Reported By: Fixed By: Coordinated By: 

    NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

    Wed, 07/11/2018 - 10:35am
    Project: NewsFlashDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the NewsFlash project page.

    Reported By: Fixed By: Coordinated By: 

    Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

    Wed, 07/11/2018 - 10:32am
    Project: Beale StreetDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

    Solution: 

    Also see the Beale Street project page.

    Reported By: Fixed By: Coordinated By: 

    EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

    Wed, 07/11/2018 - 10:24am
    Project: EU Cookie ComplianceDate: 2018-July-11Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

    This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

    This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

    Solution: 

    Install the latest version:

    Also see the EU Cookie Compliance project page.

    Reported By: Fixed By: Coordinated By: 

    Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

    Wed, 07/11/2018 - 10:15am
    Project: Commerce Custom Order StatusDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability:  Cross Site ScriptingDescription: 

    Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen.

    The module doesn't sufficiently sanitize the output of the status names.

    This vulnerability is mitigated by the fact that an attacker must have a role with the "configure order settings" permission.

    Solution: 

    Install the latest version:

    Also see the Commerce Custom Order Status project page.

    Reported By: Fixed By: Coordinated By: 

    Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045

    Wed, 07/04/2018 - 12:56pm
    Project: Universally Unique IDentifierDate: 2018-July-04Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Arbitrary file uploadDescription: 

    This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

    The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission to allow to upload to the file create REST endpoint.

    Solution: 
  • If you use the uuid module for Drupal 7.x, upgrade to uuid 7.x-1.1
  • Also see the Universally Unique IDentifier project page

    Reported By: Fixed By: Coordinated By: 

    TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

    Wed, 06/27/2018 - 1:24pm
    Project: TFA Basic pluginsVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.

    The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.

    This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.

    Solution: 

    Also see the TFA Basic plugins project page.

    Reported By: Fixed By: Coordinated By: 

    Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

    Wed, 06/27/2018 - 1:11pm
    Project: Mass Password ResetVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    This module enables you to reset passwords for all users based upon their user role.

    The module doesn't use a strong source of randomness, creating weak and predictable passwords.

    This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.

    Solution: 

    Install the latest version:

    Also see the Mass Password Reset project page.

    Reported By: Fixed By: Coordinated By: 

    Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

    Wed, 06/27/2018 - 12:49pm
    Project: Generate Password Version: 7.x-1.x-devDate: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.

    The module doesn't use a strong source of randomness, creating weak and predictable passwords.

    This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Solution: 

    Install the latest version:

    • If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1

    Also see the Generate Password project page.

    Reported By: Fixed By: Coordinated By: 

    Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

    Wed, 06/13/2018 - 10:03am
    Project: Custom TokensDate: 2018-June-13Security risk: Critical 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

    The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.

    The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Solution: 

    Install the latest version and review your permissions.

    Note, after upgrading, additional configuration steps required. Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens".

    Also see the Custom Tokens project page.

    Reported By: Fixed By: Coordinated By: 

    Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

    Wed, 06/06/2018 - 9:05am
    Project: Entity DeleteDate: 2018-June-06Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

    This module enables you to delete any types of entities in bulk.

    The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

    The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

    Solution: 

    Install the latest version:

    Also see the Entity Delete project page.

    Reported By: Fixed By: Coordinated By: 

    AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

    Wed, 06/06/2018 - 9:01am
    Project: AdTego SiteIntel - AdBlocker DetectDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

    Solution: 

    If you use this project, you should uninstall it.

    Reported By: 

    Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

    Wed, 06/06/2018 - 8:58am
    Project: MollomDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported projects critical by default.

    Solution: 

    If you use this project, you should uninstall it.

    Reported By: Fixed By: 

    N/A

    Coordinated By: 

    N/A

    Zircon - Critical - Unsupported - SA-CONTRIB-2018-037

    Wed, 05/23/2018 - 10:30am
    Project: ZirconDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    Pages