Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 2 hours 49 min ago

Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

Wed, 07/11/2018 - 10:15am
Project: Commerce Custom Order StatusDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability:  Cross Site ScriptingDescription: 

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

This vulnerability is mitigated by the fact that an attacker must have a role with the "configure order settings" permission.

Solution: 

Install the latest version:

Also see the Commerce Custom Order Status project page.

Reported By: Fixed By: Coordinated By: 

Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045

Wed, 07/04/2018 - 12:56pm
Project: Universally Unique IDentifierDate: 2018-July-04Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Arbitrary file uploadDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to allow to upload to the file create REST endpoint.

Solution: 
  • If you use the uuid module for Drupal 7.x, upgrade to uuid 7.x-1.1
  • Also see the Universally Unique IDentifier project page

    Reported By: Fixed By: Coordinated By: 

    TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

    Wed, 06/27/2018 - 1:24pm
    Project: TFA Basic pluginsVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.

    The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.

    This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.

    Solution: 

    Also see the TFA Basic plugins project page.

    Reported By: Fixed By: Coordinated By: 

    Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

    Wed, 06/27/2018 - 1:11pm
    Project: Mass Password ResetVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    This module enables you to reset passwords for all users based upon their user role.

    The module doesn't use a strong source of randomness, creating weak and predictable passwords.

    This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.

    Solution: 

    Install the latest version:

    Also see the Mass Password Reset project page.

    Reported By: Fixed By: Coordinated By: 

    Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

    Wed, 06/27/2018 - 12:49pm
    Project: Generate Password Version: 7.x-1.x-devDate: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

    The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.

    The module doesn't use a strong source of randomness, creating weak and predictable passwords.

    This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Solution: 

    Install the latest version:

    • If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1

    Also see the Generate Password project page.

    Reported By: Fixed By: Coordinated By: 

    Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

    Wed, 06/13/2018 - 10:03am
    Project: Custom TokensDate: 2018-June-13Security risk: Critical 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

    The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.

    The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Solution: 

    Install the latest version and review your permissions.

    Note, after upgrading, additional configuration steps required. Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens".

    Also see the Custom Tokens project page.

    Reported By: Fixed By: Coordinated By: 

    Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

    Wed, 06/06/2018 - 9:05am
    Project: Entity DeleteDate: 2018-June-06Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

    This module enables you to delete any types of entities in bulk.

    The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

    The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

    Solution: 

    Install the latest version:

    Also see the Entity Delete project page.

    Reported By: Fixed By: Coordinated By: 

    AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

    Wed, 06/06/2018 - 9:01am
    Project: AdTego SiteIntel - AdBlocker DetectDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

    Solution: 

    If you use this project, you should uninstall it.

    Reported By: 

    Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

    Wed, 06/06/2018 - 8:58am
    Project: MollomDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported projects critical by default.

    Solution: 

    If you use this project, you should uninstall it.

    Reported By: Fixed By: 

    N/A

    Coordinated By: 

    N/A

    Zircon - Critical - Unsupported - SA-CONTRIB-2018-037

    Wed, 05/23/2018 - 10:30am
    Project: ZirconDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    Education - Critical - Unsupported - SA-CONTRIB-2018-036

    Wed, 05/23/2018 - 10:28am
    Project: EducationDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035

    Wed, 05/23/2018 - 10:28am
    Project: TB SirateDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    Hotel - Critical - Unsupported - SA-CONTRIB-2018-034

    Wed, 05/23/2018 - 10:26am
    Project: HotelDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    iShopping - Critical - Unsupported - SA-CONTRIB-2018-033

    Wed, 05/23/2018 - 10:25am
    Project: iShoppingDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032

    Wed, 05/23/2018 - 10:23am
    Project: Corporate SiteDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031

    Wed, 05/23/2018 - 10:22am
    Project: TB NucleusDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported themes and modules critical by default.

    Solution: 

    If you use this theme, you should uninstall it.

    Reported By: 

    Drew Webber

    SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

    Wed, 05/23/2018 - 10:02am
    Project: SimpleCropDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use this module, you should uninstall it.

    Reported By: 

    Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

    Wed, 05/23/2018 - 9:59am
    Project: Baidu AnalyticsDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use this module, you should uninstall it.

    Reported By: 

    Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

    Wed, 05/23/2018 - 9:55am
    Project: Protected PagesDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use this module, you should uninstall it.

    Reported By: 

    SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

    Wed, 05/09/2018 - 4:28pm
    Project: SVG FormatterDate: 2018-May-09Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

    This module adds a new formatter for the file fields, which allows any file extension to be uploaded.
    The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files.
    This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.

    Solution: 

    Install the latest version:

    Also see the SVG Formatter project page.

    Reported By: Fixed By: Coordinated By: 

    Pages