Project Security Advisories

Subscribe to Project Security Advisories feed
Updated: 55 min 24 sec ago

D8 Editor File upload - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-059

Wed, 11/02/2016 - 3:38pm
Description

This module enables you to upload files directly within the CKEditor and create a link to download the given file.

The module doesn't sufficiently check the uploaded file extensions when the allowed extensions list is not the default one.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to use a text filter that enables this CKEditor plugin and does not use the default allowed extensions.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • D8 Editor File Upload 8.x-1.x versions prior to 8.x-1.2.

Drupal core is not affected. If you do not use the contributed D8 Editor File upload module, there is nothing you need to do.

Solution

Install the latest version:

Also see the D8 Editor File upload project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

Wed, 11/02/2016 - 2:04pm
Description

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal.

The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting (XSS) vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Bootstrap 7.x-3.x versions prior to 7.x-3.7

Drupal core is not affected. If you do not use the contributed Bootstrap theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Bootstrap theme from the 7.x-3.x branch, upgrade to Bootstrap 7.x-3.8

Also see the Bootstrap project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Profile 2 Registration Path - Critical - Unsupported - DRUPAL-SA-CONTRIB-2015-057

Wed, 11/02/2016 - 1:47pm
Description

This module enables administrators to set unique registration paths per Profile2 profile type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
    All versions are affected.

Drupal core is not affected. If you do not use the contributed Profile2 Registration Path module, there is nothing you need to do.

Solution

Uninstall the module

Also see the Profile2 Registration Path project page.

Reported by Fixed by

N/A

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Like/Dislike - Critical - Unsupported- SA-CONTRIB-2016-056

Wed, 11/02/2016 - 1:38pm
Description

Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of like/dislike module.

Drupal core is not affected. If you do not use the contributed Like/Dislike module, there is nothing you need to do.

Solution

If you use the like/dislike module for Drupal 7.x you should uninstall it.

Also see the Like/Dislike project page.

Reported by Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

Wed, 11/02/2016 - 1:21pm
Description

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus".

The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer menu views".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Menu Views 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Menu Views module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Menu Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

Wed, 10/26/2016 - 12:20pm
Description

This module enables you to run NCBI BLAST jobs on the host system.

The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run.

This vulnerability only requires the attacker to have minimal permissions on the site (for example, "View published content") and therefore can be exploited by untrusted or unauthenticated users in most cases.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Tripal BLAST UI 7.x-1.x versions prior to 7.x-1.2

Drupal core is not affected. If you do not use the contributed Tripal BLAST UI module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Tripal BLAST UI project page.

Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

Wed, 10/19/2016 - 10:27am
Description

This module provides a user interface to create and configure forms called Webforms.

When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules.

The vulnerability is mitigated by the fact that another module has to explicitly grant access to those files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 7.x-3.x versions prior to 7.x-3.25.
  • Webform 7.x-4.x is unaffected.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

If you use webform-7.x-3.x you may …

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

Wed, 10/12/2016 - 10:08am
Description

This module enables you to manage cron jobs.

The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Elysia Cron 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Elysia Cron module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Elysia Cron project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

Wed, 09/07/2016 - 1:45pm
Description

This module enables regular users to create unlimited private flags called lists.

The flag_lists module doesn't sufficiently filter the output when applying token strings to flag_lists links leading to a persistent Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role with the "Create flag lists" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • flag_lists 7.x-3.x versions prior to 7.x-3.1.
  • flag_lists 7.x-1.x versions prior to 7.x-1.3.

Please note that there are two different versions available of the flag_lists module. One 7.x-3.x which is used together with flag 7.x-3.x and one for the earlier flag module prior to 7.x-3.x.

Drupal core is not affected. If you do not use the contributed Flag lists module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed Flag Lists module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag Lists project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Wed, 08/31/2016 - 1:23pm
Description

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content.

The provided view that lists each user's bookmarked content as a tab on their user profile has for its access control the permission to use the 'bookmarks' flag. This means that any user who has permission to use the 'bookmarks' flag can see the list of content that any user has bookmarked.

This vulnerability is mitigated by the fact that the site must have enabled the Flag Bookmark module to create this view, and an attacker must have a role with the permission "Flag node entities as bookmarks".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Flag 7.x-3.x versions prior to 7.x-3.8.

Drupal core is not affected. If you do not use the contributed Flag module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Flag module for Drupal 7.x, upgrade to Flag 7.x-3.8

If you have Flag Bookmark enabled, or have enabled it in the past and still have the flag_bookmarks_tab view active, edit this and change the User: uid contextual filter's as follows:

  1. set the validator to 'Current user ID matches argument value'
  2. set the action to take if the filter value does not validate to 'Show "Page not found"'.

Also see the Flag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Wed, 08/24/2016 - 10:47am
Description

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another.

An authenticated user could add a schedule to a node even when that content type has schedules disabled.

The vulnerability is mitigated by the fact that a attacker must have access to an account in the system with permission to edit content and create schedules. Also, only sites with a specific combination of permissions and modules are affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Workbench Scheduler 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Workbench Scheduler module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Workbench Scheduler project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Panelizer - Moderately Critical - Access Bypass - SA-CONTRIB-2016-048

Wed, 08/17/2016 - 1:13pm
Description

Panelizer enables you to use Panels to replace the display of any entity, and even modify the Panels configuration in-place using the Panels In-Place Editor (IPE).

The default behavior for Panels IPE is to allow any user with the permissions "Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place Editor " access to the IPE regardless of whether or not a user has access to edit the underlying entity. While users cannot edit the entity itself, they can change the layout and the different panel panes shown (effectively allowing them to edit it).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the Panels In-Place Editor" and the IPE must be enabled for the specific content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Panelizer 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Panelizer module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Panelizer project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047

Wed, 08/17/2016 - 12:20pm
Description Panels does not check access on some routes (Critical)

Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels.

Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not provide any access checks, or site specific encoded urls. This can allow an attacker to guess the backend url as an anonymous user and see data loaded for the form.

There is no mitigation for this exploit. Any site with panels enabled is vulnerable.

Panels In-place Editor does not properly check for access (Moderately Critical)

The Panels In-Place Editor (IPE) allows users with certain permissions to modify the layout and panel content of pages.

The default behavior for Panels IPE is to allow any user with the permissions "Use the Panels In-Place Editor" and "Change layouts with the Panels In-Place Editor " access to the IPE regardless of whether or not a user has proper access to the page. While users cannot edit the page content itself, they can change the layout and the different panel panes shown.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the Panels In-Place Editor" and the IPE must be enabled for the specific content type.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Panels 7.x-3.x versions prior to 7.x-3.6.

Drupal core is not affected. If you do not use the contributed Panels module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the panels module for Drupal 7x, upgrade to Panels 7.x-3.6

Also see the Panels project page.

Reported by Fixed by Coordinated by
  • Mike Potter provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046

Wed, 08/17/2016 - 9:35am
Description

The Hosting module is a core component of the Aegir Hosting System.
This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites.

The Hosting module does not sufficiently control access to any custom content types created by the user. The default content types are sufficiently protected.

This vulnerability is mitigated by the fact that on a typical installation the users who have access normally have admin privilege already, and few installations will have created additional custom content types.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hosting 7.x-3.x versions prior to 7.x-3.7.

Drupal core is not affected. If you do not use the contributed Hosting module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Hosting project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

Wed, 08/10/2016 - 11:08am
Description

This module enables you to restrict site access without using user roles or permissions.

The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Require Login 7.x-2.x versions prior to 7.x-2.4
  • Require Login 8.x-1.x versions prior to 8.x-1.8

Drupal core is not affected. If you do not use the contributed Require Login module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Require Login project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

OAuth2 Client- Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2016-044

Wed, 08/10/2016 - 9:30am
Description

This module provides an OAuth2 client.

The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake access_token to another user, and subsequently provide him fake data from the server. This page explains it in more details: http://www.twobotechnologies.com/blog/2014/02/importance-of-state-in-oau...

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OAuth2 Client 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed OAuth2 Client module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OAuth2 Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

Wed, 08/10/2016 - 9:26am
Description

This module enables you to add integration with Piwik statistics service.
The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Piwik".

For greater flexibility a new feature has been added to the module to implement the new permission "Add JavaScript snippets" that can be assigned to users who are allowed to add JS code snippets into your web site.

If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Piwik 7.x-2.x versions prior to 7.x-2.9.
  • Piwik 8.x-2.x versions prior to 8.x-1.1.

Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Piwik module for Drupal 7.x, upgrade to Piwik 7.x-2.9
  • If you use the Piwik module for Drupal 8.x, upgrade to Piwik 8.x-1.1
  • Also see the Piwik Web Analytics project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x

    Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

    Wed, 08/10/2016 - 9:20am
    Description

    This module enables you to add integration with Google Analytics statistics service.
    The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Google Analytics".

    For greater flexibility a new feature has been added to the module to implement the new permission "Add JavaScript snippets" that can be assigned to users who are allowed to add JS code snippets into your web site.

    If you have granted the Administer Google Analytics to non trusted users, please check your settings to make sure all javascript entered is valid.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
  • Google Analytics 7.x-2.x versions prior to 7.x-2.3.
  • Google Analytics 8.x-2.x versions prior to 8.x-2.1.
  • Drupal core is not affected. If you do not use the contributed Google Analytics module, there is nothing you need to do.

    Solution

    Install the latest version:

  • If you use the Google Analytics module for Drupal 7.x, upgrade to Google Analytics 7.x-2.3
  • If you use the Google Analytics module for Drupal 8.x, upgrade to Google Analytics 8.x-2.1
  • Also see the Google Analytics project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.xDrupal 8.x

    Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041

    Wed, 08/03/2016 - 12:42pm
    Description

    Administration Views module replaces overview/listing pages with actual views for superior usability.

    The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • administration views 7.x-1.x versions prior to 7.x-1.6.

    Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the Administration Views project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

    Wed, 07/13/2016 - 11:01am
    Description

    This module enables you to expose Drupal entities as RESTful web services.

    RESTWS alters the default page callbacks for entities to provide additional functionality.

    A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.

    There are no mitigating factors. This vulnerability can be exploited by anonymous users.

    CVE identifier(s) issued
    • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
    Versions affected
    • RESTful Web Services 7.x-2.x versions prior to 7.x-2.6.
    • RESTful Web Services 7.x-1.x versions prior to 7.x-1.7.

    Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

    Solution

    Install the latest version:

    Also see the RESTful Web Services project page.

    Reported by Fixed by Coordinated by Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    Drupal version: Drupal 7.x

    Pages