Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 4 min 4 sec ago

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Wed, 01/10/2018 - 1:02pm
Project: Node View PermissionsVersion: 8.x-1.x-dev7.x-1.x-devDate: 2018-January-10Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.

This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.

Solution: 

Install the latest version:

Reported By: Fixed By: 
  • The module maintainer
Coordinated By: 

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

Wed, 01/10/2018 - 12:57pm
Project: StacksDate: 2018-January-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.
The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.
This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.

Solution: 

Install the latest version:

  • If you use the Stacks module for Drupal 8.x, upgrade to Stacks 8.x-1.1
Reported By: 
  • Jean-François Hovinne
  • Fixed By: 
  • Mauro Vigliotti the module maintainer
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

    Wed, 12/20/2017 - 1:47pm
    Project: me aliasesDate: 2017-December-20Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary code executionDescription: 

    'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

    The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

    Solution: 

    Install the latest version:

    • If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3
    Reported By: 
  • ross.linscott
  • Fixed By: 
  • Camilo Bravo
  • nohup
  • Michael Hess of the Drupal Security Team
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096

    Wed, 12/20/2017 - 10:06am
    Project: Directory based organisational layerDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the Directory based organisational layer tag module for Drupal you should uninstall it.

    Reported By: 

    Jean-Francois Hovinne

    Fixed By: 

    N/A

    ComScore direct tag - Critical - Unsupported - SA-CONTRIB-2017-095

    Wed, 12/20/2017 - 10:00am
    Project: ComScore direct tagDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    A simple module to add in the JS for the comScore Direct tag to your Drupal site.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the ComScore Direct tag module for Drupal you should uninstall it.

    Reported By: 

    Balazs Janos Tatar

    Fixed By: 

    N/A

    Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

    Wed, 12/20/2017 - 9:12am
    Project: Link Click CountDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the link click count module for Drupal you should uninstall it.

    Reported By: 

    Karthik Kumar D K

    Fixed By: 

    N/A

    Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

    Wed, 12/13/2017 - 1:24pm
    Project: Panopoly CoreVersion: 7.x-1.x-devDate: 2017-December-13Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

    This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium.

    The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled.

    This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

    Wed, 12/06/2017 - 2:02pm
    Project: Node feedbackVersion: 7.x-1.2Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

    This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
    The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.

    Solution: 

    Install the latest version:

    Also see the Node feedback project page.

    Reported By: Fixed By: Coordinated By: 

    Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

    Wed, 12/06/2017 - 1:44pm
    Project: Configuration Update ManagerVersion: 8.x-1.4Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request Forgery (CSRF)Description: 

    The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

    This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

    This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

    Solution: 

    Install the latest version:

    Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.

    Also see the Configuration Update Manager project page.

    Reported By: Fixed By: Coordinated By: 

    Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

    Wed, 12/06/2017 - 1:41pm
    Project: Feedback CollectVersion: 7.x-1.5Date: 2017-December-06Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting (XSS)Description: 

    This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. 

    The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create feedback-collect content" or its related editing permissions.

    Solution: 

    Install the latest version:

    Also see the Feedback Collect project page.

    Reported By: Fixed By: Coordinated By: 

    Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

    Wed, 12/06/2017 - 1:37pm
    Project: MailhandlerVersion: 7.x-2.10Date: 2017-December-06Security risk: Critical 17∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

    The Mailhandler module enables you to create nodes by email.

    The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code.

    The vulnerability applies to any active mailhandler mailbox, whether or not attachments are mapped to a field.

    Mitigating factors:

    • For 7.x versions prior to 7.x-2.5, the vulnerability is mitigated by the fact that the 'MailhandlerCommandsFiles' plugin must be enabled. For later versions, the option to disable commands was removed, all commands are enabled in any case.
    • The vulnerability is mitigated by the fact that the attacker must pass the authentication step. The default authentication is that the attacker must send the crafted e-mail from a registered e-mail address.
    • The vulnerability is mitigated by the fact that the mailhandler mailbox e-mail address must be known by the attacker. This essentially depends on the usecase, e.g. Mailcomment module.
    • The vulnerability is mitigated by the fact that the webserver configuration must either permit the execution of some file extensions in the public filesystem or (Apache) has '.htaccess' support enabled through the AllowOverride directive.
    Solution: 

    Install the latest version:

    Also see the Mailhandler project page.

    Reported By: Fixed By: Coordinated By: 

    bootstrap_carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

    Wed, 11/29/2017 - 1:21pm
    Project: bootstrap_carouselVersion: 7.x-1.x-devDate: 2017-November-29Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

    This module provides a way to make carousels, based on bootstrap-carousel.js.

    The module doesn't sufficiently handle output of img HTML tag's alt property.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any similar node module permissions for creating/editing/removing the module-delivered content type.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

    Wed, 11/29/2017 - 1:17pm
    Project: Services single sign-on clientVersion: 7.x-1.x-devDate: 2017-November-29Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingDescription: 

    This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials.

    The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Cloud - Critical - CSRF - SA-CONTRIB-2017-086

    Wed, 11/29/2017 - 1:13pm
    Project: CloudVersion: 7.x-1.x-devDate: 2017-November-29Security risk: Critical 18∕25 AC:None/A:User/CI:Some/II:All/E:Theoretical/TD:AllVulnerability: CSRFDescription: 

    This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack.

    The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted deletion of audit reports.

    This vulnerability is mitigated by the fact that the victim must have a role with the permission "access audit report".

    Solution: 

    Install the latest version:

    • If you use the Cloud module for Drupal 7, upgrade to Cloud 7.x-1.7
    Reported By: Fixed By: Coordinated By: 

    MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

    Wed, 11/29/2017 - 1:09pm
    Project: MoneySuiteVersion: 7.x-10.x-devDate: 2017-November-29Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue.

    The modules have an access bypass vulnerability which allows untrusted users (including anonymous users) to view payments made by users within the system. No data can be modified, nor are any credit card numbers displayed.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Domain Integration - Moderately critical - Access bypass - SA-CONTRIB-2017-084

    Wed, 11/29/2017 - 1:01pm
    Project: Domain IntegrationVersion: 7.x-1.x-devDate: 2017-November-29Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user.

    The Domain Integration Login Restrict sub-module doesn't sufficiently check these restrictions when using one-time logins.

    This vulnerability is mitigated by the fact that an attacker must have an active account on one of the domains.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

    Wed, 11/08/2017 - 12:22pm
    Project: Custom PermissionsVersion: 8.x-1.x-devDate: 2017-November-08Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.

    When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

    Wed, 11/08/2017 - 12:16pm
    Project: Permissions by TermVersion: 8.x-1.x-devDate: 2017-November-08Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

    The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms.

    The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability.

    This vulnerability is mitigated by the fact that it only occurs on sites that either have another node access module (besides Permissions by Term) in use, or that have node listings that are accessible to unprivileged users and that don't directly filter out unpublished content.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

    Wed, 11/01/2017 - 2:22pm
    Project: Automated LogoutVersion: 7.x-4.x-devDate: 2017-November-01Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

    This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.

    The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

    Wed, 10/25/2017 - 12:28pm
    Project: MosaikVersion: 7.x-1.x-devDate: 2017-October-25Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingDescription: 

    The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

    The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

    Solution: 

    Install the latest version:

    Also see the Mosaik project page.

    Reported By: Fixed By: Coordinated By: 

    Pages