Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 2 hours 17 min ago

Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

Wed, 06/13/2018 - 10:03am
Project: Custom TokensDate: 2018-June-13Security risk: Critical 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.

The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Solution: 

Install the latest version and review your permissions.

Note, after upgrading, additional configuration steps required. Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens".

Also see the Custom Tokens project page.

Reported By: Fixed By: Coordinated By: 

Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

Wed, 06/06/2018 - 9:05am
Project: Entity DeleteDate: 2018-June-06Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

Solution: 

Install the latest version:

Also see the Entity Delete project page.

Reported By: Fixed By: Coordinated By: 

AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

Wed, 06/06/2018 - 9:01am
Project: AdTego SiteIntel - AdBlocker DetectDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Reported By: 

Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

Wed, 06/06/2018 - 8:58am
Project: MollomDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported projects critical by default.

Solution: 

If you use this project, you should uninstall it.

Reported By: Fixed By: 

N/A

Coordinated By: 

N/A

Zircon - Critical - Unsupported - SA-CONTRIB-2018-037

Wed, 05/23/2018 - 10:30am
Project: ZirconDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Education - Critical - Unsupported - SA-CONTRIB-2018-036

Wed, 05/23/2018 - 10:28am
Project: EducationDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035

Wed, 05/23/2018 - 10:28am
Project: TB SirateDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Hotel - Critical - Unsupported - SA-CONTRIB-2018-034

Wed, 05/23/2018 - 10:26am
Project: HotelDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

iShopping - Critical - Unsupported - SA-CONTRIB-2018-033

Wed, 05/23/2018 - 10:25am
Project: iShoppingDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032

Wed, 05/23/2018 - 10:23am
Project: Corporate SiteDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031

Wed, 05/23/2018 - 10:22am
Project: TB NucleusDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

Wed, 05/23/2018 - 10:02am
Project: SimpleCropDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 

Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

Wed, 05/23/2018 - 9:59am
Project: Baidu AnalyticsDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Wed, 05/23/2018 - 9:55am
Project: Protected PagesDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Wed, 05/09/2018 - 4:28pm
Project: SVG FormatterDate: 2018-May-09Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module adds a new formatter for the file fields, which allows any file extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.

Solution: 

Install the latest version:

Also see the SVG Formatter project page.

Reported By: Fixed By: Coordinated By: 

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Wed, 05/09/2018 - 10:19am
Project: Scrollable ContentDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use the Scrollable Content module you should uninstall it.

Reported By: 
  • Balazs Janos Tatar Provisional member of the Security Team
  • Fixed By: 

    N/A

    Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

    Wed, 05/09/2018 - 10:16am
    Project: Simple Taxonomy RevisionDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the Simple Taxonomy Revision module you should uninstall it.

    Reported By: 
  • Balazs Janos Tatar Provisional member of the Security Team
  • Fixed By: 

    N/A

    KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

    Wed, 05/09/2018 - 10:14am
    Project: KCFinder integrationDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Unsupported ModuleDescription: 

    KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the KCFinder integration you should uninstall it.

    Reported By: 

    Neil Drumm of the Drupal Security Team

    Fixed By: 

    N/A

    Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023

    Wed, 05/09/2018 - 10:09am
    Project: Multi-Step RegistrationDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Unsupported ModuleDescription: 

    With Multi-Step Registration you can create multi-step (wizard) user account registration forms.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the step module for Drupal you should uninstall it.

    Reported By: 

    Ayesh Karunaratne

    Fixed By: 

    N/A

    JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

    Wed, 04/25/2018 - 1:43pm
    Project: JSON APIVersion: 8.x-1.15Date: 2018-April-25Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site Request ForgeryDescription: 

    This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

    The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

    This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

    Solution: 

    Install the latest version:

    • If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16
    Reported By: Fixed By: Coordinated By: 

    Pages