Biztonsági figyelmeztetések

Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031

Biztonsági figyelmeztetések (contrib) - 2016. június 1. 15.14
Description

This module enables you to enter opening hours for locations in a highly detailed way.

The module doesn't sufficiently escape input data from user input.

This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit opening hours for content”, or have permissions to edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Opening Hours 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Opening hours module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Opening hours project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

Biztonsági figyelmeztetések (contrib) - 2016. május 25. 17.50
Description

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • XML Sitemap 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed XML Sitemap module, there is nothing you need to do.

Solution

Install the latest version:

Also see the XML Sitemap project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Views Megarow - Critical - Access Bypass - SA-CONTRIB-2016-029

Biztonsági figyelmeztetések (contrib) - 2016. május 18. 19.54
Description

This module enables you to display content from any path within a list of content inside a view or form. The content is displayed in a modal-like format when the user clicks on the "view link" or any custom links created.

The module doesn't sufficiently check access permissions when the user clicks on a views megarow link.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Views megarow 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Views Megarow module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Views Megarow project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

Biztonsági figyelmeztetések (contrib) - 2016. május 18. 19.54
Description

This module enables you to allow users to enter a special registration code in order to sign up for the site.

The module doesn't sufficiently validate the entered registration code

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Registration Codes 7.x-2.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Registration codes project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

Biztonsági figyelmeztetések (contrib) - 2016. május 18. 19.29
Description

This module enables you to view dropbox files in your Drupal site.

The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to upload files to the dropbox folder that the victim later views through the Drupal site.

Additionally, the module shipped with hardcoded and exposed Oauth credentials, making known users of the module exposed to phishing and/or access bypass.

The app secret has been made invalid, making the exposed secrets unusable for the attacker. This also makes the module unusable without upgrading and taking necessary steps to register a new Dropbox app.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All dropbox_client 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Dropbox Client module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the dropbox_client module for Drupal 7.x, upgrade to dropbox_client 7.x-4.0
  • Versions 3.x is no longer supported

Also see the Dropbox Client project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x