Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 2 hours 20 sec ago

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158

Wed, 10/21/2015 - 12:34pm
Description

The jQuery Update module enables you to update jQuery on your site.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004).

Only sites with the Overlay module enabled are vulnerable.

An incomplete fix for this issue was released in SA-CONTRIB-2015-123.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • jQuery Update 7.x-2.x versions prior to 7.x-2.7

Drupal core is not affected. If you do not use the contributed jQuery Update module, there is nothing you need to do.

Solution

Install the latest version:

Also see the jQuery Update project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

Wed, 10/14/2015 - 4:56pm
Description

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages.

The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended.

This vulnerability is mitigated by the fact that an attacker must have access to a session with the role that has the permission "access administration pages".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Twilio 7.x-1.x versions prior to 7.x-1.11

Drupal core is not affected. If you do not use the contributed Twilio module, there is nothing you need to do.

Solution

Install the latest version:

Grant the permission "administer twilio" to any roles that should be able to administer the Twilio module.

Also see the Twilio project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

Wed, 10/07/2015 - 12:16pm
Description

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal.

The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site.

This vulnerability is mitigated by the fact that an attacker must have permission to post comments with a text format that allows links.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Colorbox 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Colorbox module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Colorbox project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155

Wed, 10/07/2015 - 11:47am
Description

This module enables you to manage registrations for events.

The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations.

This vulnerability is mitigated by the fact that anonymous users must have the permission "Register other accounts."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Entity Registration 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Entity Registration module, there is nothing you need to do.

Solution

Install the latest version:

Note on releases: the security bug was fixed in the 7.x-1.5 release, however that release included many other bug fixes and features. The 7.x-1.6 release is intended to fix a critical, non-security bug in the 7.x-1.5 release.

Update permissions configuration:

  • Remove the "Register other accounts" permission for anonymous users or other unprivileged roles
  • If needed, add the "Register Self" permission for anonymous users and other unprivileged roles

Also see the Entity Registration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

Wed, 10/07/2015 - 11:40am
Description

This module enables you to create notes on a page inside a block.

The module doesn't sufficiently sanitize the note text on the admin listing page.

This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Stickynote 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed stickynote module, there is nothing you need to do.

Solution

Install the latest version.

Also see the stickynote project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Taxonomy Find - Unsupported - SA-CONTRIB-2015-153

Wed, 09/30/2015 - 4:16pm
Description

This module enables you to add a simple search interface to lookup taxonomy terms by name.

The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer vocabularies and terms" or the ability to add or edit nodes or entities with taxonomy fields attached.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • MODULE 6.x-2.x versions up to 6.x-1.2.
  • MODULE 7.x-2.x versions up to 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Taxonomy Find module, there is nothing you need to do.

Solution

If you use the Taxonomy Find module you should uninstall it.

Also see the Taxonomy Find project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152

Wed, 09/30/2015 - 4:13pm
Description

Module contains SQL Injection vulnerabilities.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • user_dashboard 7.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed UserDashboard module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the User Dashboard module for Drupal 7.x, upgrade to 7.x-1.4

Also see the UserDashboard project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Scald - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-151

Wed, 09/16/2015 - 11:57am
Description

This module enables you to easily manage your media assets and re-use them in all your content.

The module provided a "debug" context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions.

This vulnerability is mitigated by the fact that only sites that added fields to an atom type and then restricted access to those fields are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Scald 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Scald: Media Management made easy module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.5

Also see the Scald: Media Management made easy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

CMS Updater - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-150

Wed, 09/16/2015 - 11:05am
Description

CMS Updater allows to update Drupal core automatically with a subscription service.

Access bypass
The module does not sufficiently protect the settings page allowing any user with the permission "access administration pages" to change settings.

This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission on the site.

Cross Site Scripting (XSS)
The module does not sanitize user provided text on the configuration page thereby exposing a cross site scripting vulnerability.

There are no mitigating factors for the cross site scripting.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CMS Updater 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CMS Updater module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CMS Updater project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149

Wed, 09/16/2015 - 10:55am
Description

This module enables you to integrate with amoCRM service using webhooks.

The module does not sufficiently sanitize the logged data when malicious POST data is received.

This vulnerability is mitigated by the fact that a module such "Database logging" (dblog) must be enabled which displays log messages in a HTML context.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • amoCRM 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed amoCRM module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the amoCRM module for Drupal 7.x, upgrade to amoCRM 7.x-1.2

Also see the amoCRM project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal 7 driver for SQL Server and SQL Azure - Moderately Critical - SQL Injection - SA-CONTRIB-2015-148

Wed, 09/16/2015 - 10:38am
Description

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability.

Certain characters aren't properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search.

Only sites that use contrib or custom modules which rely on the db_like() function may be affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Drupal 7 driver for SQL Server and SQL Azure module, there is nothing you need to do.

Solution

Install the latest version:

Although a 7.x-1.4 version has been released the 7.x-1.x branch is currently unsupported and not maintained.

Also see the Drupal 7 driver for SQL Server and SQL Azure project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147

Wed, 09/09/2015 - 2:18pm
Description

This module enables you to expose your Drupal backend by generating a RESTful API.

The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have their pages cached as anonymous users, and therefore allowing access to potentially restricted information during subsequent anonymous requests.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Twitter - Moderately Critical - Access bypass - SA-CONTRIB-2015-146

Wed, 09/09/2015 - 1:09pm
Description

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter.

The module doesn't sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be posted to any authenticated account, not just one that the user owns.

The module also doesn't sufficiently check for access when listing a user's connected Twitter accounts, allowing any user to change the options for any other account, including deleting the attached Twitter account.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post to twitter" in order to post to Twitter, and have either the permission "add twitter accounts" or "add authenticated twitter accounts" in order to access the accounts list.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Twitter 6.x-5.x versions prior to 6.x-5.2.
  • Twitter 7.x-5.x versions prior to 7.x-5.9.
  • Twitter 7.x-6.x versions prior to 7.x-6.0.

Drupal core is not affected. If you do not use the contributed Twitter module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Twitter 5.x module for Drupal 6.x, upgrade to Twitter 6.x-5.2 or later.
  • If you use the Twitter 5.x module for Drupal 7.x, upgrade to Twitter 7.x-5.9 or later.
  • If you use the Twitter 6.x module for Drupal 7.x, upgrade to Twitter 7.x-6.0 or later.

Also see the Twitter project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145

Wed, 09/02/2015 - 1:50pm
Description

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays (Page Manager, Panelizer, Panels Everywhere) via a fieldable custom entity type.

The module doesn't sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing someone to modify a pane they don't have permission to edit.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to edit a panels display that has a custom pane, and it's uncommon that someone is given access to this functionality and not also permission to edit the panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Mass Contact - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-144

Wed, 09/02/2015 - 1:12pm
Description

This module allows anyone with permission to send a single message to multiple users of a site, using the site's roles and/or taxonomy functionality.

The module doesn't sufficiently sanitize the category labels when they are displayed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mass contact".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mass Contact 6.x-1.x versions prior to 6.x-1.6.
  • Mass Contact 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Mass Contact module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Mass Contact project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Zendesk Feedback Tab - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-143

Wed, 09/02/2015 - 11:24am
Description

This module enables you to easily integrate the Zendesk Support Tab on your Drupal website.

The module allows Javascript code to be embedded via its administration interface, allowing for the potential of cross-site scripting attacks. The module did not properly indicate that site administrators should restrict access to that permission to only trusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Configure Zendesk Feedback Tab permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Zendesk Feedback Tab 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Zendesk Feedback Tab module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Zendesk Feedback Tab project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

Tue, 09/01/2015 - 4:16pm
Description

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files.

The module doesn't sufficiently sanitize node titles when displayed in results.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Spotlight 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Spotlight module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Spotlight project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141

Wed, 08/19/2015 - 4:28pm
Description Cross Site Scripting (XSS)

Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools.

This vulnerability can be mitigated by the fact that ctools must load its javascript on the page and the user has access to submit data through a form (such as a comment or node) that allows 'a' tags.

This patch is a backport for SA-CORE-2015-003.

Access bypass

This module provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Features.

The module doesn't sufficiently verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.

This vulnerability is mitigated by the fact that the user must have access to edit a display via a Panels display system, e.g. via Panels pages, Mini Panels, Panel Nodes, Panelizer displays, IPE, Panels Everywhere, etc. Furthermore, either a contributed module provides a CTools content type plugin, or a custom plugin must be written that inherits permissions from another plugin and must have a different permission defined; if no "edit" permission is set up for the child object CTools did not check the permissions of the parent object. One potential scenario would allow people who did not have edit access to Fieldable Panels Panes panes, which were specifically set to not be reusable, to edit them despite the person's lack of access.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

Cross Site Scripting:

  • ctools 6.x-1.x versions prior to 6.x-1.14.

Access bypass:

  • ctools 6.x-1.x versions prior to 6.x-1.14.
  • ctools 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Chaos tool suite (ctools) project page.

Reported by

Cross Site Scripting:

Access bypass:

Fixed by

Cross Site Scripting:

Access bypass:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140

Wed, 08/19/2015 - 11:02am
Description

This module enables you to add autocomplete suggestions for search forms created with the Search API module.

The module doesn't sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create new content (or other indexed entities) and that the search index must be configured to use the HTML filter processor.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API Autocomplete 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Search API Autocomplete module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API Autocomplete project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Workbench Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139

Wed, 08/19/2015 - 10:52am
Description

Workbench Email module provides a way for administrators to define email transitions and configurable email subject / messages between those transitions.

The module causes node and field validations to be skipped when saving nodes.

The vulnerability is mitigated by the fact that an attacker must have a role with permission to create or update nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Email 7.x-3.x versions prior to 7.x-3.4

Drupal core is not affected. If you do not use the contributed Workbench Email module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Email project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Pages