Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 56 min 53 sec ago

Like/Dislike - Critical - Unsupported- SA-CONTRIB-2016-056

Wed, 11/02/2016 - 1:38pm
Description

Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of like/dislike module.

Drupal core is not affected. If you do not use the contributed Like/Dislike module, there is nothing you need to do.

Solution

If you use the like/dislike module for Drupal 7.x you should uninstall it.

Also see the Like/Dislike project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

Wed, 11/02/2016 - 1:21pm
Description

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus".

The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer menu views".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Menu Views 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Menu Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Menu Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

Wed, 10/26/2016 - 12:20pm
Description

This module enables you to run NCBI BLAST jobs on the host system.

The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run.

This vulnerability only requires the attacker to have minimal permissions on the site (for example, "View published content") and therefore can be exploited by untrusted or unauthenticated users in most cases.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Tripal BLAST UI 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Tripal BLAST UI module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Tripal BLAST UI project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

Wed, 10/19/2016 - 10:27am
Description

This module provides a user interface to create and configure forms called Webforms.

When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules.

The vulnerability is mitigated by the fact that another module has to explicitly grant access to those files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 7.x-3.x versions prior to 7.x-3.25.
  • Webform 7.x-4.x is unaffected.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

If you use webform-7.x-3.x you may …

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

Wed, 10/12/2016 - 10:08am
Description

This module enables you to manage cron jobs.

The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Elysia Cron 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Elysia Cron module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Elysia Cron project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

Wed, 09/07/2016 - 1:45pm
Description

This module enables regular users to create unlimited private flags called lists.

The flag_lists module doesn't sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "Create flag lists" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • flag_lists 7.x-3.x versions prior to 7.x-3.1.
  • flag_lists 7.x-1.x versions prior to 7.x-1.3.

Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.

Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Flag Lists module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag Lists project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Wed, 08/31/2016 - 1:23pm
Description

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content.

The provided view that lists each user's bookmarked content as a tab on their user profile has for its access control the permission to use the 'bookmarks' flag. This means that any user who has permission to use the 'bookmarks' flag can see the list of content that any user has bookmarked.

This vulnerability is mitigated by the fact that the site must have enabled the Flag Bookmark module to create this view, and an attacker must have a role with the permission "Flag node entities as bookmarks".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Flag 7.x-3.x versions prior to 7.x-3.8.

Drupal core is not affected. If you do not use the contributed Flag module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.8

If you have Flag Bookmark enabled, or have enabled it in the past and still have the flag_bookmarks_tab view active, edit this and change the User: uid contextual filter's as follows:

  1. set the validator to 'Current user ID matches argument value'
  2. set the action to take if the filter value does not validate to 'Show "Page not found"'.

Also see the Flag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Wed, 08/24/2016 - 10:47am
Description

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another.

An authenticated user could add a schedule to a node even when that content type has schedules disabled.

The vulnerability is mitigated by the fact that a attacker must have access to an account in the system with permission to edit content and create schedules. Also, only sites with a specific combination of permissions and modules are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Scheduler 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Workbench Scheduler module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Scheduler project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Panelizer - Moderately Critical - Access Bypass - SA-CONTRIB-2016-048

Wed, 08/17/2016 - 1:13pm
Description

Panelizer enables you to use Panels to replace the display of any entity, and even modify the Panels configuration in-place using the Panels In-Place Editor (IPE).

The default behavior for Panels IPE is to allow any user with the permissions "Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place Editor " access to the IPE regardless of whether or not a user has access to edit the underlying entity. While users cannot edit the entity itself, they can change the layout and the different panel panes shown (effectively allowing them to edit it).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the Panels In-Place Editor" and the IPE must be enabled for the specific content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Panelizer 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Panelizer module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Panelizer project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047

Wed, 08/17/2016 - 12:20pm
Description Panels does not check access on some routes (Critical)

Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels.

Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not provide any access checks, or site specific encoded urls. This can allow an attacker to guess the backend url as an anonymous user and see data loaded for the form.

There is no mitigation for this exploit. Any site with panels enabled is vulnerable.

Panels In-place Editor does not properly check for access (Moderately Critical)

The Panels In-Place Editor (IPE) allows users with certain permissions to modify the layout and panel content of pages.

The default behavior for Panels IPE is to allow any user with the permissions "Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place Editor " access to the IPE regardless of whether or not a user has proper access to the page. While users cannot edit the page content itself, they can change the layout and the different panel panes shown.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the Panels In-Place Editor" and the IPE must be enabled for the specific content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Panels 7.x-3.x versions prior to 7.x-3.6.

Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the panels module for Drupal 7x, upgrade to Panels 7.x-3.6

Also see the Panels project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046

Wed, 08/17/2016 - 9:35am
Description

The Hosting module is a core component of the Aegir Hosting System.
This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites.

The Hosting module does not sufficiently control access to any custom content types created by the user. The default content types are sufficiently protected.

This vulnerability is mitigated by the fact that on a typical installation the users who have access normally have admin privilege already, and few installations will have created additional custom content types.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hosting 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Hosting module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Hosting project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

Wed, 08/10/2016 - 11:08am
Description

This module enables you to restrict site access without using user roles or permissions.

The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Require Login 7.x-2.x versions prior to 7.x-2.4
  • Require Login 8.x-1.x versions prior to 8.x-1.8

Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Require Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

OAuth2 Client- Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2016-044

Wed, 08/10/2016 - 9:30am
Description

This module provides an OAuth2 client.

The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake access_token to another user, and subsequently provide him fake data from the server. This page explains it in more details: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oau...

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth2 Client 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed OAuth2 Client module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OAuth2 Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

Wed, 08/10/2016 - 9:26am
Description

This module enables you to add integration with Piwik statistics service.
The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Piwik".

For greater flexibility a new feature has been added to the module to implement the new permission "Add JavaScript snippets" that can be assigned to users who are allowed to add JS code snippets into your web site.

If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Piwik 7.x-2.x versions prior to 7.x-2.9.
  • Piwik 8.x-2.x versions prior to 8.x-1.1.

Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Piwik module for Drupal 7.x, upgrade to Piwik 7.x-2.9
  • If you use the Piwik module for Drupal 8.x, upgrade to Piwik 8.x-1.1
  • Also see the Piwik Web Analytics project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x

    Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

    Wed, 08/10/2016 - 9:20am
    Description

    This module enables you to add integration with Google Analytics statistics service.
    The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Google Analytics".

    For greater flexibility a new feature has been added to the module to implement the new permission "Add JavaScript snippets" that can be assigned to users who are allowed to add JS code snippets into your web site.

    If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
  • Google Analytics 7.x-2.x versions prior to 7.x-2.3.
  • Google Analytics 8.x-2.x versions prior to 8.x-2.1.
  • Drupal core is not affected. If you do not use the contributed Google Analytics module, there is nothing you need to do.

    Solution

    Install the latest version:

  • If you use the Google Analytics module for Drupal 7.x, upgrade to Google Analytics 7.x-2.3
  • If you use the Google Analytics module for Drupal 8.x, upgrade to Google Analytics 8.x-2.1
  • Also see the Google Analytics project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x

    Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041

    Wed, 08/03/2016 - 12:42pm
    Description

    Administration Views module replaces overview/listing pages with actual views for superior usability.

    The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • administration views 7.x-1.x versions prior to 7.x-1.6.

    Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Administration Views project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

    Wed, 07/13/2016 - 11:01am
    Description

    This module enables you to expose Drupal entities as RESTful web services.

    RESTWS alters the default page callbacks for entities to provide additional functionality.

    A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.

    There are no mitigating factors. This vulnerability can be exploited by anonymous users.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • RESTful Web Services 7.x-2.x versions prior to 7.x-2.6.
    • RESTful Web Services 7.x-1.x versions prior to 7.x-1.7.

    Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the RESTful Web Services project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x

    Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

    Wed, 07/13/2016 - 10:59am
    Description

    The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

    The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.

    There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Coder module 7.x-1.x versions prior to 7.x-1.3.
    • Coder module 7.x-2.x versions prior to 7.x-2.6.

    Drupal core is not affected. If you do not use the contributed Coder module, there is nothing you need to do.

    Solution

    Two solutions are possible.

    A first option is to remove the module from all publicly available websites:

    • The coder module is intended to be used in development environments and is not intended to be on publicly available servers. Therefore, one simple solution is to remove the entire coder module directory from any publicly accessible website.

    A second option is to install the latest version:

    Also see the Coder project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x

    Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

    Wed, 07/13/2016 - 10:58am
    Description

    The Webform Multiple File Upload module allows users to upload multiple files on a Webform.

    The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.

    This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE.

    Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected

    Webform Multifile 7.x-1.x versions prior to 7.x-1.4

    Drupal core is not affected. If you do not use the contributed Webform Multiple File Upload module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Webform Multiple File Upload project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x

    Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

    Wed, 07/06/2016 - 9:33am
    Description

    This module enables you to authenticate with Instagram's API via an intermediary service (instagram.yanniboi.com).
    The module doesn't sufficiently advise that your authentication tokens could be intercepted.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • Instagram Block 7.x-1.x versions prior to 7.x-1.4.

    Drupal core is not affected. If you do not use the contributed Instagram Block module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Instagram Block project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Pages