Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 2 hours 10 min ago

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015

Wed, 03/09/2016 - 3:10pm
Description

When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF.

This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creation tools installed on the server (pdfdraw, convert or mudraw).
It could also be partially mitigated by using the transliteration module for uploaded files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Scald File module 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Scald File Provider module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Scald File Provider project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Fieldable Panels Panes - Moderately Critical - Access Bypass - SA-CONTRIB-2016-014

Wed, 03/02/2016 - 10:24am
Description

This module enables you to create fieldable entities that have special integration with Panels.

The module doesn't check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using the private file storage system.

This vulnerability is mitigated by the fact that it is an uncommon use case for the module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Node Notify - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-013 - Unsupported

Wed, 03/02/2016 - 9:41am
Description

Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users.

The module doesn't sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability.

Additionally, some paths were not protected against CSRF. An attacker could cause another user to subscribe and unsubscribe notifications by getting the user's browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Node Notify module.

Drupal core is not affected. If you do not use the contributed Node Notify module, there is nothing you need to do.

Solution

If you use the Node Notify module for Drupal 7.x you should uninstall it.

Also see the Node Notify project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Hubspot CTA - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-012 - Unsupported

Wed, 03/02/2016 - 9:37am
Description

This module enables you to embed a Hubspot CTA buttons widget in a Bean block.

The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn't sufficiently sanitise these parameters, allowing a potential cross-site scripting attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer beans" or "Hubspot Calls-to-action: Add Bean".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Hubspot CTA module.

Drupal core is not affected. If you do not use the contributed Hubspot CTA module, there is nothing you need to do.

Solution

If you use the Hubspot CTA module you should uninstall it.

Also see the Hubspot CTA project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

Wed, 03/02/2016 - 9:07am
Description

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly count views of cached pages.

The module doesn't sufficiently protect against cross-site request forgery when it comes to the configuration reset link on its dashboard page. If the reset link were to be sent to a user with the right permissions, it could lead to an unwanted reset of the module's settings (including its OAuth credentials).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Google Analytics Counter 7.x-3.x versions prior to 7.x-3.2.

Drupal core is not affected. If you do not use the contributed Google Analytics Counter module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Google Analytics Counter project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

Wed, 03/02/2016 - 9:01am
Description

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology (OCSIT), which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search one or many sites. Read more at http://search.usa.gov/program .

The module may index unpublished content making content accessible through search.

This vulnerability is mitigated by the fact that it only affects unpublished content that has been saved and content that was published and subsequently unpublished.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • usasearch 7.x-5.x versions prior to 7.x-5.1.

Drupal core is not affected. If you do not use the contributed DigitalGov Search (machine name: USASearch) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the DigitalGov Search (machine name: USASearch) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Prepopulate - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-009

Wed, 03/02/2016 - 8:57am
Description

The Prepopulate module allows form fields to be pre-populated in the request.

The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $_REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alter elements of the user interface.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Prepopulate 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed Prepopulate module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Prepopulate project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

SA-CONTRIB-2016-008 - FileField - Denial of Service

Wed, 02/24/2016 - 10:03am
Description

FileField module allows users to upload files in conjunction with the Content Construction Kit (CCK) module in Drupal 6.

The module doesn't validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user's file uploads while they are in the process of creating or editing content and attaching files (before it is saved). This can be used as a denial of service (DoS) attack that can prevent file uploads from working on the site.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and upload files using a file (or image) field.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • FileField module 6.x-3.x versions prior to 6.x-3.14.

Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

Solution

Install the latest version:

Also see the FileField project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x

Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007

Wed, 02/17/2016 - 1:00pm
Description

This module provides an API that other modules can use to add realtime capabilities to Drupal, specifically enabling pushing updates to open connected clients.

The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve authenticated pages, or only allows Node.js connections from authenticated users, the expectation is that only authenticated Drupal users will see broadcast messages.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Node.js 7.x-1.x versions prior to 7.x-1.11.
  • Node.js 8.x-1.x beta versions prior to 8.x-1.0.

Drupal core is not affected. If you do not use the contributed Node.js integration module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Node.js integration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x

Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

Wed, 02/17/2016 - 12:56pm
Description

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM (hosted payment page) or DPM (direct post method) mechanisms.

The module doesn't sufficiently protect against the premature triggering of order completion without successful payment by the manual entry of a specially-constructed URL which contains the correct payment redirect key.

This vulnerability is mitigated by the fact that an attacker must know the format of the redirect URL and the current payment redirect key. It's also worth noting that orders prematurely completed in this fashion will NOT record a successful payment and thus show an unpaid balance.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Authorize.Net SIM/DPM Payment Methods versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Commerce Authorize.Net SIM/DPM Payment Methods module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Authorize.Net SIM/DPM Payment Methods project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

CAS - Moderately Critical - Information Disclosure - DRUPAL-SA-CONTRIB-2016-005

Wed, 02/10/2016 - 4:16pm
Description

This module enables you to use your Drupal site as a client or server for the single sign on protocol CAS. This vulnerability only affects sites that use the "CAS Server" sub module.

The module doesn't allow an administrator to restrict which CAS clients are allowed authenticate with the Drupal CAS server. A malicious CAS client can trick your users into exposing information about themselves, including: username, uid, email, account created date, account language, and roles.

This vulnerability is mitigated by the fact that a user must click a specially formed link from the malicious site and log into your Drupal CAS server with their credentials. If the user already has an active session with your Drupal CAS server, then that step is skipped.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CAS 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed CAS module, there is nothing you need to do.

Solution

Install the latest version:

  • If you are using the CAS Server sub-module, upgrade to CAS 7.x-1.5 and configure the "white list" of accepted CAS clients that are allowed to authenticate with your CAS server.
  • If you use the CAS module but NOT the server sub-module, then do nothing.

Also see the CAS project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Embedded Media Field - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2016-004

Wed, 02/10/2016 - 4:14pm
Description

This module enables you to to display video, image, and audio files from various third party providers

The module doesn't sufficiently sanitize path arguments under certain scenarios.

This vulnerability is mitigated by the fact that an attacker must be able to trick an administrator into visiting a carefully crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Embedded Media Field 6.x-1.x all versions.
  • Embedded Media Field 6.x-2.x versions prior to 6.x-2.7.

Versions of Embedded Media Field for Drupal 7 are not affected.

Drupal core is not affected. If you do not use the contributed Embedded Media Field module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Embedded Media Field project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Wed, 01/27/2016 - 11:29am
Description

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space.

This issue only affects sites that use private sub-spaces.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium 7.x-2.x versions prior to 7.x-2.53.

Drupal core is not affected. If you do not use the contributed Open Atrium module, there is nothing you need to do.

Solution
  • Upgrade to the latest version, 7.x-2.53

If you are not able to fully upgrade to the latest version, ensure private sub-spaces are directly marked as private and are not seen publicly in a private parent space.

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002

Wed, 01/13/2016 - 3:21pm
Description

The Redhen set of modules allows you to build a CRM features in a Drupal site.

When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, these modules do not properly filter certain data before display.

This vulnerability is mitigated by the fact that an attacker must have an authenticated user account with access to edit a contact, administer engagement scores, or administer taxonomies.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Redhen 7.x-1.x versions prior to 7.x-1.11.

Drupal core is not affected. If you do not use the contributed RedHen CRM module, there is nothing you need to do.

Solution

Install the latest version:

Workaround (if you are unable to update the module immediately):

  • In the display settings for your Redhen Contact Types (admin/structure/redhen/contact_types), hide "name" on all display modes.
  • Restrict access to "Administer Engagement Scores" and "Administer Taxonomies" to trusted users.

Also see the RedHen CRM project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Field Group - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-001

Wed, 01/06/2016 - 12:01pm
Description

Field Group module enables you to group fields on entity forms and entity displays.

When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker has to be able to configure field display settings, which usually needs a higher level permission such as Administer vocabularies and terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Field Group 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Field Group module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Field Group project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175

Wed, 12/16/2015 - 2:26pm
Description

This module enables you to add custom classes to blocks.
The module doesn't sufficiently scrub class names written by a malicious block class administrator.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer block classes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • block_class 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Block Class module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Block Class project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174

Wed, 12/16/2015 - 11:39am
Description

Open Atrium distribution enables you to create an intranet.

Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
  • Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66

Drupal core is not affected. If you do not use the contributed Open Atrium module, there is nothing you need to do.

Solution

If you use the Open Atrium distribution for Drupal 7.x:

If you use the Open Atrium Core module for Drupal 7.x:

If you are unable to update to Open Atrium 2.51 or oa_core 2.66, you can apply this patch to the oa_core module to fix the vulnerability until such time as you are able to completely upgrade to Open Atrium 2.51 or oa_core 2.66.

Also see the Open Atrium project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173

Wed, 12/16/2015 - 10:44am
Description

Select2 Field Widget module enables you to use the select2 library for field widgets.

The module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability (XSS).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Select2 Field Widget 7.x-2.x versions prior to 7.x-2.9.

Drupal core is not affected. If you do not use the contributed Select2 Field Widget module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Select2 Field Widget project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172

Wed, 12/16/2015 - 10:27am
Description

This module enables you to create key|value pairs for use in list fields, webforms etc.

The module includes an import page that runs eval() on an exported code block (ctools), but the permission for the page does not warn about security concerns of importing raw php code like this (trusted permission).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "import value sets".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Values 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Values module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the values module for Drupal 7.x, upgrade to Values 7.x-1.2

Also see the Values project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171

Wed, 12/02/2015 - 3:57pm
Description

This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG (normally the body of a node).

There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and allow any (including anonymous) users to see this rendered node embedded into the main node.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Token Insert Entity 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Token Insert Entity module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Token Insert Entity project page.

Reported by
  • killes of the Drupal Security Team
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Pages