Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 2 hours 52 min ago

SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

Wed, 05/23/2018 - 10:02am
Project: SimpleCropDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 

Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

Wed, 05/23/2018 - 9:59am
Project: Baidu AnalyticsDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Wed, 05/23/2018 - 9:55am
Project: Protected PagesDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Wed, 05/09/2018 - 4:28pm
Project: SVG FormatterDate: 2018-May-09Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module adds a new formatter for the file fields, which allows any file extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.

Solution: 

Install the latest version:

Also see the SVG Formatter project page.

Reported By: Fixed By: Coordinated By: 

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Wed, 05/09/2018 - 10:19am
Project: Scrollable ContentDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use the Scrollable Content module you should uninstall it.

Reported By: 
  • Balazs Janos Tatar Provisional member of the Security Team
  • Fixed By: 

    N/A

    Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

    Wed, 05/09/2018 - 10:16am
    Project: Simple Taxonomy RevisionDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the Simple Taxonomy Revision module you should uninstall it.

    Reported By: 
  • Balazs Janos Tatar Provisional member of the Security Team
  • Fixed By: 

    N/A

    KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

    Wed, 05/09/2018 - 10:14am
    Project: KCFinder integrationDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Unsupported ModuleDescription: 

    KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the KCFinder integration you should uninstall it.

    Reported By: 

    Neil Drumm of the Drupal Security Team

    Fixed By: 

    N/A

    Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023

    Wed, 05/09/2018 - 10:09am
    Project: Multi-Step RegistrationDate: 2018-May-09Security risk: Critical 16∕25 AC:None/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Unsupported ModuleDescription: 

    With Multi-Step Registration you can create multi-step (wizard) user account registration forms.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

    The security team marks all unsupported modules critical by default.

    Solution: 

    If you use the step module for Drupal you should uninstall it.

    Reported By: 

    Ayesh Karunaratne

    Fixed By: 

    N/A

    JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

    Wed, 04/25/2018 - 1:43pm
    Project: JSON APIVersion: 8.x-1.15Date: 2018-April-25Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site Request ForgeryDescription: 

    This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

    The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

    This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

    Solution: 

    Install the latest version:

    • If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16
    Reported By: Fixed By: Coordinated By: 

    DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

    Wed, 04/25/2018 - 1:37pm
    Project: DRD AgentDate: 2018-April-25Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: PHP object injectionDescription: 

    This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.

    The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

    Wed, 04/25/2018 - 1:23pm
    Project: MediaVersion: 7.x-2.18Date: 2018-April-25Security risk: Critical 18∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

    The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

    The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

    Solution: 

    Install the latest version:

    • If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19
    Coordinated By: 
    • Dave Reid the module maintainer and member of the Drupal Security Team

    Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

    Wed, 04/18/2018 - 1:31pm
    Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: 

    Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

    The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

    This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

    Solution: Reported By: Fixed By: Coordinated By: 

    Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

    Wed, 04/18/2018 - 11:45am
    Project: Menu Import and ExportVersion: 8.x-1.0Date: 2018-April-18Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

    This module helps in exporting and importing Menu Items via the administrative interface.

    The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.

    There is no mitigation for this vulnerability.

    Solution: 

    Update to Menu Import and Export 8.x-1.2.

    Reported By: Fixed By: Coordinated By: 

    Exif - Critical - Access bypass - SA-CONTRIB-2018-017

    Wed, 03/21/2018 - 1:05pm
    Project: ExifVersion: 8.x-1.x-devDate: 2018-March-21Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    This module enables you to retrieve image metadata and use them in fields or title.

    The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.

    This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

    Solution: 

    Install the latest version:

    • If you use the Exif module for Drupal 8.x, upgrade to Exif 8.x-1.1
    Reported By: Fixed By: Coordinated By: 

    JSON API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

    Wed, 03/21/2018 - 12:59pm
    Project: JSON APIVersion: 8.x-1.x-devDate: 2018-March-21Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

    This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

    The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability.

    This vulnerability is mitigated by the fact that an attacker must be allowed to view the related data, otherwise all they can glean is an entity type UUID and a UUID, which are meaningless by themselves.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    JSON API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-015

    Wed, 02/21/2018 - 3:12pm
    Project: JSON APIDate: 2018-February-21Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

    This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

    • The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability.

      This vulnerability is mitigated by the fact that an attacker cannot trigger an exploitable situation themselves.

    • The module doesn't sufficiently check access in certain situations.

      This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

    Update: This is fixed in 8.x-1.10 not 8.x-1.9Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014

    Wed, 02/21/2018 - 2:04pm
    Project: CKEditor Upload ImageDate: 2018-February-21Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

    This module enables you to drag and drop or paste images into CKEditor.
    The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

    Wed, 02/14/2018 - 3:34pm
    Project: Entity APIDate: 2018-February-14Security risk: Moderately critical 10∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescription: 

    The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

    The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.

    This vulnerability is mitigated by the fact that an attacker needs to be able to trigger the error condition in a way that protected data is exposed.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012

    Wed, 02/14/2018 - 3:27pm
    Project: Entity BackupDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

    The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    Solution: 

    Uninstall the module

    Reported By: 

    Jean-Francois Hovinne

    Fixed By: 

    N/A

    Coordinated By: 

    N/A

    Dynamic Banner - Critical - Module Unsupported - SA-CONTRIB-2018-011

    Wed, 02/14/2018 - 2:01pm
    Project: Dynamic BannerDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

    Dynamic Banner is a module that lightens the load on web developers from creating many blocks for pages with different banners.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    Solution: 

    Uninstall the module

    Reported By: Fixed By: 

    N/A

    Coordinated By: 

    N/A

    Pages