Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 1 hour 17 min ago

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

Wed, 10/10/2018 - 1:02pm
Project: NVP fieldDate: 2018-October-10Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

NVP field module allows you to create a field type of name/value pairs, with custom
titles and easily editable rendering with customizable HTML/text surrounding the pairs.

The module doesn't sufficiently handle sanitization of its field formatter's output.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission of creating/editing content where the module defined fields are in use.

Solution: 

Install the latest version:

Also see the NVP field project page.

Reported By: Fixed By: Coordinated By: 

Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065

Wed, 10/10/2018 - 1:01pm
Project: Search API Solr SearchVersion: 7.x-1.13Date: 2018-October-10Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leaked as part of the search excerpt.

Solution: 

Install the latest version:

Also see the Search API Solr Search project page.

Reported By: Fixed By: Coordinated By: 

Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064

Wed, 10/10/2018 - 12:57pm
Project: Lightbox2Version: 7.x-2.x-devDate: 2018-October-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lightbox2 module enables you to overlay images on the current page.

The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting (XSS).

Solution: 

Install the latest version:

Also see the Lightbox2 project page.

Reported By: Fixed By: Coordinated By: 

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

Wed, 10/03/2018 - 2:18pm
Project: Printer, email and PDF versionsVersion: 7.x-2.x-devDate: 2018-October-03Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize the HTML content passed to dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF generation tool. In the case of the dompdf vulnerability, the attacker must be able to write content to the site.

Solution: 

Install the latest version:

  • If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1

In alternative, disable PDF generation, or replace the PDF generation library with another of the supported versions.

Also see the Printer, email and PDF versions project page.

Reported By: Fixed By: Coordinated By: 

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

Wed, 09/26/2018 - 12:34pm
Project: Commerce Klarna CheckoutVersion: 7.x-1.4Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider

The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step.

Solution: 

Install the latest version:

Also see the Commerce Klarna Checkout project page.

Reported By: Fixed By: Coordinated By: 

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Wed, 09/26/2018 - 12:12pm
Project: Taxonomy File TreeVersion: 7.x-1.0Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Taxonomy File Tree allows site managers to create file trees.

For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file.

This vulnerability only affects sites that use private files.

Solution: 

Install the latest version:

Also see the Taxonomy File Tree project page.

Reported By: Fixed By: Coordinated By: 

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

Wed, 09/19/2018 - 12:02pm
Project: RenderkitDate: 2018-September-19Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation (e.g. an entity reference field).

The components that display related content do not check if the user has access to view the related entities. This way e.g. unpublished nodes may be displayed to anonymous visitors.

This vulnerability is mitigated by the facts that
- a site builder must have used the component that displays "related" entities for a source entity, using cfr:cfrplugin, OR a programmer has used one of the affected components in code.
- a source entity displayed this way must reference access-restricted content.

Solution: 

Install the latest version:

Also see the Renderkit project page.

Reported By: Fixed By: Coordinated By: 

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

Wed, 09/05/2018 - 1:22pm
Project: FractionDate: 2018-September-05Security risk: Less critical 5∕25 6/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:AllVulnerability: XSS vulnerabilityDescription: 

This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.

Solution: 

Install the latest version:

Also see the Fraction project page.

Reported By: Fixed By: Coordinated By: 

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

Wed, 08/29/2018 - 12:27pm
Project: Bing Autosuggest APIVersion: 7.x-1.x-devDate: 2018-August-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the Bing Autosuggest API.

The module doesn't sufficiently sanitize a value used to populate an API request.

Solution: 

Install the latest version:

Also see the Bing Autosuggest API project page.

Reported By: Fixed By: Coordinated By: 

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2018-057

Wed, 08/29/2018 - 12:26pm
Project: Drupal CommerceVersion: 8.x-2.x-devDate: 2018-August-29Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build eCommerce websites and applications with Drupal.

The module doesn't sufficiently check access for some of its entity types.

Solution: 

Update to Commerce 8.x-2.9.

Reported By: Fixed By: Coordinated By: 

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Wed, 08/15/2018 - 8:32am
Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Wed, 08/08/2018 - 1:14pm
Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

Also see the PHP Configuration project page.

Reported By: Fixed By: Coordinated By: 
  • mpotter of the Drupal Security Team

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Wed, 07/25/2018 - 8:38am
Project: Select (or other)Date: 2018-July-25Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access to edit a field that is displayed through the "Select or other" formatter.

Solution: 

Also see the Select (or other) project page.

Reported By: Fixed By: Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

    Wed, 07/18/2018 - 11:31am
    Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

    This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

    The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

    Solution: 

    Also see the XML sitemap project page.

    Reported By: Fixed By: Coordinated By: 

    Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

    Wed, 07/18/2018 - 10:39am
    Project: Taxonomy Entity QueueDate: 2018-July-18Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: SQL InjectionDescription: 

    This module enables you to create an entityqueue based on a taxonomy.

    The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

    This vulnerability is mitigated by the fact that an attacker must have a role with the "administer entity queue taxonomy" permission.

    Solution: 

    Install the latest version:

    Also see the Taxonomy Entity Queue project page.

    Reported By: Fixed By: Coordinated By: 

    Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

    Wed, 07/11/2018 - 10:41am
    Project: TapestryDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography...

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the Tapestry project page.

    Reported By: Fixed By: Coordinated By: 

    litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

    Wed, 07/11/2018 - 10:38am
    Project: litejazzDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the litejazz project page.

    Reported By: Fixed By: Coordinated By: 

    NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

    Wed, 07/11/2018 - 10:35am
    Project: NewsFlashDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

    Solution: 

    Install the latest version:

    Also see the NewsFlash project page.

    Reported By: Fixed By: Coordinated By: 

    Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

    Wed, 07/11/2018 - 10:32am
    Project: Beale StreetDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

    This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

    The theme doesn't sufficiently sanitize user input.

    This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

    Solution: 

    Also see the Beale Street project page.

    Reported By: Fixed By: Coordinated By: 

    EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

    Wed, 07/11/2018 - 10:24am
    Project: EU Cookie ComplianceDate: 2018-July-11Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

    This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

    This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

    Solution: 

    Install the latest version:

    Also see the EU Cookie Compliance project page.

    Reported By: Fixed By: Coordinated By: 

    Pages