Biztonsági figyelmeztetések (contrib)

Feliratkozás Biztonsági figyelmeztetések (contrib) hírcsatorna csatornájára
Frissítve: 2 perc 42 másodperc

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

2020. július 1. 16.49
Project: RenderkitVersion: 7.x-1.x-devDate: 2020-July-01Security risk: Less critical 9∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The renderkit module contains components which can transform the display of field items sent to it.

Some of these components do not respect the '#access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see those field values.

This only occurs if all of the following conditions are true:

  • Your site has a field where viewing access is restricted on field level, e.g. using the "Field permissions" module.
  • The access-restricted field is displayed using the "Field with formatter" entity display from renderkit, in combination with one of the affected field display processor components.
Solution: 

If a site is affected there are 2 steps to fix this issue on a site:

Step 1: Install the latest version of renderkit: Step 2: Review your custom modules.

Look for classes that implement FieldDisplayProcessorInterface.
Consider to extend the FieldDisplayProcessorBase class instead of implementing the interface.

Also see the Renderkit project page.

Reported By: Fixed By: Coordinated By: 

Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025

2020. június 17. 18.04
Project: InternationalizationVersion: 7.x-1.x-devDate: 2020-June-17Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Internationalization (i18n) module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites.

A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit terms in " on a taxonomy vocabulary with i18n term translation enabled and the victim uses the i18n term translation page.

Solution: 

Install the latest version:

Also see the Internationalization project page.

Reported By: Fixed By: Coordinated By: 

Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024

2020. június 10. 18.44
Project: Open ReadSpeakerVersion: 8.x-1.x-devDate: 2020-June-10Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors.

The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

Also see the Open ReadSpeaker project page.

Reported By: Fixed By: Coordinated By: 

YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023

2020. június 10. 18.33
Project: YubiKeyVersion: 7.x-2.x-devDate: 2020-June-10Security risk: Less critical 9∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token.

The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP only. This allows an attacker to attempt many YubiKey OTP codes. However, a brute force attack on this code is not practical in most situations given the length and randomness of the OTP codes.

Solution: 

Install the latest version:

Also see the YubiKey project page.

Reported By: Fixed By: Coordinated By: 

Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022

2020. június 3. 17.38
Project: ServicesVersion: 7.x-3.x-devDate: 2020-June-03Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module's taxonomy term index resource doesn't take into consideration certain access control tags provided (but unused) by core, that certain contrib modules depend on.

This vulnerability is mitigated by the fact your site must have the taxonomy term index resource enabled, your site must have a contributed module enabled which utilizes taxonomy term access control, and an attacker must know your api endpoint's path.

Solution: 

Install the latest version:

Also see the Services project page.

Reported By: Fixed By: Coordinated By: 

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

2020. május 27. 17.47
Project: Password Reset Landing Page (PRLP)Date: 2020-May-27Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to force a password update when using password reset link.
The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user.

Solution: 

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.5

Also see the Password Reset Landing Page (PRLP) project page.

Reported By: Fixed By: Coordinated By: 

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020

2020. május 27. 17.32
Project: Drupal CommerceDate: 2020-May-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an owner.

When anonymous users are granted the "View own orders" permission, they are able to see any such anonymous order via direct navigation to its view page. The module does not include extra access control necessary to ensure anonymous users are only able to view their own previously placed orders.

This vulnerability is mitigated by the fact that a site must be configured to permit anonymous checkout and an attacker must be an anonymous user with the permission "View own orders".

Solution: 

Install the latest version:

Also see the Drupal Commerce project page.

Reported By: Fixed By: Coordinated By: 

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

2020. május 13. 18.44
Project: reCAPTCHA v3Date: 2020-May-13Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.

If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.

This vulnerability only affects forms that are protected by reCaptcha v3 and have server side validation steps (e.g required field or custom validation functions).

Solution: 

Install the latest version:

Also see the reCAPTCHA v3 project page.

Reported By: Fixed By: Coordinated By: 

Webform - Critical - Access bypass - SA-CONTRIB-2020-018

2020. május 13. 18.22
Project: WebformDate: 2020-May-13Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This webform module enables you to build a 'Term checkboxes' element.

The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

2020. május 6. 19.02
Project: WebformDate: 2020-May-06Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build forms and surveys in Drupal.

The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which implement webform_node, node, or entity access checks may not achieve the intended access results for Webform Node content.

There is no known exploit of this vulnerability and the vulnerability only exists on sites with custom code and a node access module in use.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

2020. május 6. 18.59
Project: WebformDate: 2020-May-06Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This webform module enables you to build 'Term select' and 'Term checkboxes' elements.

The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

2020. május 6. 18.55
Project: WebformDate: 2020-May-06Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label was executed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

2020. május 6. 18.52
Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript code through it.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

2020. május 6. 18.50
Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

The Webform module allows site builders to create forms.

The module doesn't sufficiently prevent malicious code from being render via an options elements (i.e select menu, checkboxes, radios, etc...) under the scenario where the site builder allows the raw option value to be displayed.

This vulnerability is mitigated by the fact that site builder must be allowed to build webform and select raw as the options element's submission display.

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

2020. május 6. 18.47
Project: WebformDate: 2020-May-06Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used across multiple spots in Drupal 8 core and contrib modules.

An extracted HMAC hash could be used to view restricted site content or log in as another user in certain situations.

This vulnerability is mitigated by the fact that an attacker must be able to create a webform submission with "Signature" element and then be able to view the submission.

For Drupal instances that have "Signature" webform element available to users with low trust, it is advised to change the value of the hash salt within settings.php file to a new random value. Below we reference the specific extract from settings.php that is advised for change in such Drupal instances:

/** * Salt for one-time login links, cancel links, form tokens, etc. * * This variable will be set to a random value by the installer. All one-time * login links will be invalidated if the value is changed. Note that if your * site is deployed on a cluster of web servers, you must ensure that this * variable has the same value on each server. * * For enhanced security, you may set this variable to the contents of a file * outside your document root; you should also ensure that this file is not * stored with backups of your database. * * Example: * @code * $settings['hash_salt'] = file_get_contents('/home/example/salt.txt'); * @endcode */ $settings['hash_salt'] = 'new-value-here'; Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: 
  • Heine of the Drupal Security Team
Fixed By: Coordinated By: 

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

2020. május 6. 18.43
Project: WebformDate: 2020-May-06Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently filter webform element properties (attributes) under the scenario of editing a webform. Malicious user could craft such an attribute (#element_validate, for example) that would invoke execution of undesired PHP code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Edit own webform" (or "Edit any webform").

Solution: 

Install the latest version:

Also see the Webform project page.

Reported By: Fixed By: Coordinated By: 

JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

2020. április 15. 17.45
Project: JSON:APIVersion: 8.x-1.26Date: 2020-April-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade to a supported version of Drupal core, which includes a supported version of JSON:API.

The eventual removal of security coverage for the JSON:API contributed module was announced with the release of JSON:API 8.x-1.22 on 28 June 2018.

Additionally, there is a known security issue with the 8.x-1.x branch of the project that will not be fixed by the maintainers. That issue is not present in the 8.x-2.x branch of the project, nor is it present in Drupal core.

Solution: 

Users of the module are encouraged to upgrade to a supported version of Drupal core, which is distributed with a supported version of JSON:API.

If your site is currently using a release from the 8.x-1.x branch of the module, you may be required to apply fixes for the breaking changes documented here.

Also see the JSON:API project page.

Reported By: Fixed By: Coordinated By: 

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

2020. április 8. 18.14
Project: SpamicideDate: 2020-April-08Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots.

The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass.

Solution: 

Install the latest version:

Also see the Spamicide project page.

Reported By: Fixed By: Coordinated By: 

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

2020. március 25. 19.05
Project: Svg ImageDate: 2020-March-25Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution: 

Install the latest version:

Also see the Svg Image project page.

Reported By: Fixed By: Coordinated By: