Hírolvasó

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

Biztonsági figyelmeztetések (contrib) - 2020. május 27. 17.47
Project: Password Reset Landing Page (PRLP)Date: 2020-May-27Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.

Solution: 

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5

Also see the Password Reset Landing Page (PRLP) project page.

Reported By: Fixed By: Coordinated By: 

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020

Biztonsági figyelmeztetések (contrib) - 2020. május 27. 17.32
Project: Drupal CommerceDate: 2020-May-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.

When anonymous users are granted the "View own orders" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.

This vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission "View own orders".

Solution: 

Install the latest version:

Also see the Drupal Commerce project page.

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Biztonsági figyelmeztetések (core) - 2020. május 20. 17.22
Project: Drupal coreDate: 2020-May-20Security risk: Moderately critical 10∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Open RedirectDescription: 

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL.

The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function.

Other versions of Drupal core are not vulnerable.

Solution: 

Install the latest version:

Reported By: Fixed By: 

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

Biztonsági figyelmeztetések (core) - 2020. május 20. 17.18
Project: Drupal coreDate: 2020-May-20Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are

[...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. Security advisories for both of these issues have been published on GitHub.

Those advisories are:

These vulnerabilities may be exploitable on some Drupal sites. This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on Drupal 7 sites that have the module installed.

Backwards-compatibility code has also been added to minimize regressions to Drupal sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption in 8.8.x and earlier, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.

(Note: the backwards compatibility layer will not be included in the upcoming Drupal 8.9 and 9.0 releases, so Drupal 8 and 9 modules, themes, and sites should correct tags in JavaScript to properly use closing tags.)

If you find a regression caused by the jQuery changes, please report it in Drupal core's issue queue (or that of the relevant contrib project). However, if you believe you have found a security issue, please report it privately to the Drupal Security Team.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7 are end-of-life and do not receive security coverage. Sites on 8.6 or earlier should update to 8.7.14.

The pre-release Drupal versions (8.9 and 9.0) have been updated jQuery to version 3.5.1 as of 8.9.0-beta3 and 9.0.0-beta3.

Reported By: Fixed By: 

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

Biztonsági figyelmeztetések (contrib) - 2020. május 13. 18.44
Project: reCAPTCHA v3Date: 2020-May-13Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.

If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.

This vulnerability only affects forms that are protected by reCaptcha v3 and have server side validation steps (e.g required field or custom validation functions).

Solution: 

Install the latest version:

Also see the reCAPTCHA v3 project page.

Reported By: Fixed By: Coordinated By: 

Webform - Critical - Access bypass - SA-CONTRIB-2020-018

Biztonsági figyelmeztetések (contrib) - 2020. május 13. 18.22
Project: WebformDate: 2020-May-13Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This webform module enables you to build a 'Term checkboxes' element.

The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 19.02
Project: WebformDate: 2020-May-06Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build forms and surveys in Drupal.

The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which implement webform_node, node, or entity access checks may not achieve the intended access results for Webform Node content.

There is no known exploit of this vulnerability and the vulnerability only exists on sites with custom code and a node access module in use.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 18.59
Project: WebformDate: 2020-May-06Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This webform module enables you to build 'Term select' and 'Term checkboxes' elements.

The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 18.55
Project: WebformDate: 2020-May-06Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label was executed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 18.52
Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript code through it.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 18.50
Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render via an options elements (i.e select menu, checkboxes, radios, etc...) under the scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed to build webform and select raw as the options element's submission display.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 18.47
Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used across multiple spots in Drupal 8 core and contrib modules.

An extracted HMAC hash could be used to view restricted site content or log in as another user in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to create a webform submission with "Signature" element and then be able to view the submission.

For Drupal instances that have "Signature" webform element available to users with low trust, it is advised to change the value of the hash salt within settings.php file to a new random value. Below we reference the specific extract from settings.php that is advised for change in such Drupal instances:

/** * Salt for one-time login links, cancel links, form tokens, etc. * * This variable will be set to a random value by the installer. All one-time * login links will be invalidated if the value is changed. Note that if your * site is deployed on a cluster of web servers, you must ensure that this * variable has the same value on each server. * * For enhanced security, you may set this variable to the contents of a file * outside your document root; you should also ensure that this file is not * stored with backups of your database. * * Example: * @code * $settings['hash_salt'] = file_get_contents('/home/example/salt.txt'); * @endcode */ $settings['hash_salt'] = 'new-value-here'; Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: 
  • Heine of the Drupal Security Team
Fixed By: Coordinated By: 

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

Biztonsági figyelmeztetések (contrib) - 2020. május 6. 18.43
Project: WebformDate: 2020-May-06Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter webform element properties (attributes) under the scenario of editing a webform. Malicious user could craft such an attribute (#element_validate, for example) that would invoke execution of undesired PHP code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

Biztonsági figyelmeztetések (contrib) - 2020. április 15. 17.45
Project: JSON:APIVersion: 8.x-1.26Date: 2020-April-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade to a supported version of Drupal core, which includes a supported version of JSON:API.

The eventual removal of security coverage for the JSON:API contributed module was announced with the release of JSON:API 8.x-1.22 on 28 June 2018.

Additionally, there is a known security issue with the 8.x-1.x branch of the project that will not be fixed by the maintainers. That issue is not present in the 8.x-2.x branch of the project, nor is it present in Drupal core.

Solution: 

Users of the module are encouraged to upgrade to a supported version of Drupal core, which is distributed with a supported version of JSON:API.

If your site is currently using a release from the 8.x-1.x branch of the module, you may be required to apply fixes for the breaking changes documented here.

Also see the JSON:API project page.

Reported By: Fixed By: Coordinated By: 

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

Biztonsági figyelmeztetések (contrib) - 2020. április 8. 18.14
Project: SpamicideDate: 2020-April-08Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots.

The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass.

Solution: 

Install the latest version:

Also see the Spamicide project page.

Reported By: Fixed By: Coordinated By: 

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Biztonsági figyelmeztetések (contrib) - 2020. március 25. 19.05
Project: Svg ImageDate: 2020-March-25Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution: 

Install the latest version:

Also see the Svg Image project page.

Reported By: Fixed By: Coordinated By: 

CKEditor - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

Biztonsági figyelmeztetések (contrib) - 2020. március 18. 18.21
Project: CKEditor - WYSIWYG HTML editorDate: 2020-March-18Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.

Solution: 

Install the latest version:

Also see the CKEditor- WYSIWYG HTML editor project page

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001

Biztonsági figyelmeztetések (core) - 2020. március 18. 18.07
Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2020-March-18Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Third-party libraryDescription: 

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.

The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

Note for Drupal 7 users

Drupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated.

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

Biztonsági figyelmeztetések (contrib) - 2020. március 11. 16.53
Project: SAML Service ProviderDate: 2020-March-11Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.

Solution: 

Install the latest version:

Also see the SAML Service Provider project page.

Reported By: Fixed By: Coordinated By: 

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005

Biztonsági figyelmeztetések (contrib) - 2020. március 4. 18.06
Project: SVG FormatterDate: 2020-March-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Formatter module provides support for using SVG images on your website.

This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.

This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files.

Solution: 

Install the latest version:

Also see the SVG Formatter project page.

Reported By: Fixed By: Coordinated By: