Hírolvasó

Project: Drupal coreDate: 2019-February-20Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionCVE IDs: CVE-2019-6340Description: 

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
• the site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).

Solution: 

• If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
• If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
• Be sure to install any available security updates for contributed projects after updating Drupal core.
• No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Sascha Grossenbacher
• Peter Wolanin of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Daniel Wehner
• Cash Williams of the Drupal Security Team
• Wim Leers
• Jess of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Francesco Placella
• Damian Lee
• Tobias Zimmermann
• Ted Bowman
• Damien McKenna of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Rob Loach
• Gabe Sullice
• Michael Hess of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Heshan Wanigasooriya
• David Snopek of the Drupal Security Team
• Wolfgang Ziegler
• Miro Dietiker
• Truls S. Yggeseth

Project: Font Awesome IconsDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the Font Awesome Icons module for Drupal 8.x, upgrade to Font Awesome Icons 8.x-2.12.

Project: Translation Management ToolDate: 2019-February-20Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the TMGMT module for Drupal 8.x, upgrade to TMGMT 8.x-1.7.

Project: ParagraphsDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.6.

Project: VideoDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

• If you use the Video module for Drupal 8, upgrade to Video 8.x-1.4

Project: MetatagDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote code executionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

• If you use the Metatag module for Drupal 8.x, upgrade to Metatag 8.x-1.8.

Project: LinkDate: 2019-February-20Security risk: Critical 18∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

• If you use the Link module for Drupal 7.x, upgrade to Link 7.x-1.6

Project: JSON:APIDate: 2019-February-20Security risk: Highly critical 22∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote code executionDescription: 

This resolves issues described in SA-CORE-2019-003 for this module.

Solution: 

Install the latest version:

• If you use the 2.x version of the JSON:API module for Drupal 8.x, upgrade to JSON:API 8.x-2.3
• If you use the 1.x version of the JSON:API module for Drupal 8.x, upgrade to JSON:API 8.x-1.25

Project: RESTful Web ServicesDate: 2019-February-20Security risk: Critical 19∕25 AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details.

Solution: 

Install the latest version:

• If you use the RESTful Web Services module for Drupal 7.x, upgrade to restws 7.x-2.8

Project: Entity RegistrationDate: 2019-February-13Security risk: Critical 18∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure.

In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration based on a simple pattern.
If anonymous users are allowed to register and:

• anonymous users have the "View" permission, information included in the registration can be accessed.
• anonymous users have the "Edit" permission, information included in the registration can be altered.
• anonymous users have the "Delete" permission, the registration itself can be deleted.

This vulnerability is mitigated by the fact that it only applies to cases where the anonymous user role has specifically been given View, Edit, or Delete access to the specific Registration Type.

Solution: 

Install the latest version:

• If you use the Registration 1.x module for Drupal 7.x, upgrade to Registration 7.x-1.7
• If you use the Registration 2.x module for Drupal 7.x, upgrade to Registration 7.x-2.0-beta3

Reported By: 

• gaele

Fixed By: 

• Gabriel Carleton-Barnes

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: OAuth 2.0 Client Login (Single Sign-On)Date: 2019-February-13Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol.

The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which is displayed as part of an error message by a test authentication endpoint which is accessible by anonymous users, leading to an XSS vulnerability.

Solution: 

Install the latest version:

• If you use the miniOrange OAuth Client module for Drupal 7.x, upgrade to miniOrange OAuth Client 7.x-1.21

Reported By: 

• Drew Webber

Fixed By: 

• Drew Webber provisional security team member
• Gaurav Sood

Coordinated By: 

• Drew Webber provisional security team member

Project: Focal PointVersion: 7.x-1.17.x-1.0Date: 2019-February-13Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables a privileged user to specify the important part of an image for the purposes of cropping.

The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form.

This vulnerability is mitigated by the fact that an attacker must have the ability to generate markup (e.g. with a field that accepts "filtered html") AND they must have permission to edit a node or entity whose add/edit form contains the focal point widget.

Solution: 

Install the latest version:

• If you use the focal_point module for Drupal 7.x, upgrade to Focal Point 7.x-1.2

Also see the Focal Point project page.

Reported By: 

• poiu

Fixed By: 

• Alexander Ross

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Acquia ConnectorDate: 2019-February-06Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service.

The module does not properly enforce access control in a specific case, which can lead to disclosing information.

The vulnerability is mitigated by requiring the module diff feature to be enabled. This feature is enabled by default.

Solution: 

Install the latest version:

• If you use the Acquia Connector module for Drupal 7.x, upgrade to Acquia Connector 7.x-3.4
• If you use the Acquia Connector module for Drupal 8.x, upgrade to Acquia Connector 8.x-1.16

This vulnerability can be mitigated by unchecking Source code under Allow collection and examination of the following items on the Acquia Subscription settings (in Drupal 7) or Acquia Connector settings (in Drupal 8) page. The settings page is under Administration -> Configuration -> System.

For Drupal 7, this setting can also be disabled by setting the acquia_spi_module_diff_data variable to FALSE. Using Drush:

drush vset acquia_spi_module_diff_data FALSE

For Drupal 8, this setting can also be disabled by setting the spi.module_diff_data key within the acquia_connector.settings configuration setting to 0. Using Drush:

drush config-set acquia_connector.settings spi.module_diff_data 0

Also see the Acquia Connector project page.

Reported By: 

• Samuel Mortenson of the Drupal Security Team

Fixed By: 

• Mark Trapp
• Vlad Pavlovic

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Cash Williams of the Drupal Security Team

Project: Login AlertDate: 2019-February-06Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account.

The module doesn't employ sufficient randomness in the generation of URLs, which represents an Access Bypass vulnerability.

Solution: 

Install the latest version:

• If you use the Login Alert module for Drupal 8.x, upgrade to Login Alert 8.x-1.3

Also see the Login Alert project page.

Reported By: 

• Drew Webber provisional member of the Drupal Security Team

Fixed By: 

• Arvind Verma

Coordinated By: 

• Drew Webber provisional member of the Drupal Security Team
• Greg Knaddison member of the Drupal Security Team

Project: Public Download CountDate: 2019-February-06Security risk: Less critical 8∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Open Redirect VulnerabilityDescription: 

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination.

The module did not verify that the links provided to the intermediate page were actually present in the Drupal site content and did not contain checks to prevent external sites from accessing the counter.

Solution: 

Install the latest version:

• If you use pubdlcnt for Drupal 7.x, upgrade to pubdlcnt 7.x-1.3

Also see the Public Download Count project page.

Reported By: 

• Jack Over

Fixed By: 

• Corey Halpin

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Anti Spam by CleanTalkDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: NodeaccessDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: Expand collapse formatterDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: Gridstack fieldDate: 2019-January-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Project: Panels BreadcrumbsVersion: 7.x-2.3Date: 2019-January-23Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to edit breadcrumb configuration, or the value of a token used in breadcrumb configuration.

Solution: 

If using version 7.x-2.3 or earlier, upgrade to version 7.x-2.4 or later.

Reported By: 

• abramm

Fixed By: 

• abramm
• David Snopek of the Drupal Security Team

Coordinated By: 

• David Snopek of the Drupal Security Team
• Pere Orga of the Drupal Security Team
• Mike Potter of the Drupal Security Team