Hírolvasó

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033

Biztonsági figyelmeztetések (contrib) - 2017. március 22. 17.40
Description

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field.

When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access.

This is mitigated by the fact that a user must have access to a text format that uses Linkit.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Linkit 8.x-4.x versions prior to 8.x-4.3.

Drupal core is not affected. If you do not use the contributed Linkit- Enriched linking experience module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Linkit module for Drupal 8.x, upgrade to Linkit 8.x-4.3

Also see the Linkit- Enriched linking experience project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032

Biztonsági figyelmeztetések (contrib) - 2017. március 22. 17.37
Description

This module enables you to show the office hours of a location to the public.

The module doesn't sufficiently filter user input for malicious Cross Site Scripting (xss).

This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Office Hours 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Office Hours module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Office Hours project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001

Biztonsági figyelmeztetések (core) - 2017. március 15. 20.24

Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

Download Drupal 8.2.7

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

  • Advisory ID: DRUPAL-SA-CORE-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-March-15
Description Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377

When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.

Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379

Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.

This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed.

You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.

Solution

Upgrade to Drupal 8.2.7

Reported by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 Fixed by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381 Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

Biztonsági figyelmeztetések (contrib) - 2017. március 15. 19.15
Description

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions.

The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes may be editable in ways a site admin may not expect.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Private 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Private module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Private module 7.x-1.x your site may be at risk. The only completely safe option is to take the website off-line. In most cases, disabling the module will not mitigate the vulnerabilities as that will expose even more private information.
  • A new maintainer has developed a beta secure version of the module using the 7.x-2.x branch. This is a partial rewrite and needs further testing. Please test it and provide bug reports and help developing patches.

Also see the Private project page.

Reported by

Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

Biztonsági figyelmeztetések (contrib) - 2017. március 8. 18.11
Description

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process.

The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account.

In order to exploit, the attacker must have an active account on the site.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • PRLP versions prior to 8.x-1.3

Drupal core is not affected. If you do not use the contributed Password Reset Landing Page (PRLP) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the PRLP module for Drupal 8.x, upgrade to PRLP 8.x-1.3 (the latest 8.x release as of this advisory date).

Also see the Password Reset Landing Page (PRLP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Services - Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

Biztonsági figyelmeztetések (contrib) - 2017. március 8. 16.39
Description

This module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.19.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version:

You may disable "application/vnd.php.serialized" under "Request parsing" in Drupal to prevent the exploit: /admin/structure/services/list/[my-endpoint]/server

However, installing the latest version of the Services module is highly recommended.

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Biztonsági figyelmeztetések (contrib) - 2017. március 1. 18.58
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-028
  • Project: breakpoint panels (third-party module)
  • Version: 7.x
  • Date: 2017-March-01
Description

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed breakpoint panels module, there is nothing you need to do.

Solution

If you use the breakpoint panels module for Drupal 7.x you should uninstall it.

Also see the breakpoint panels project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

AES - Critical - Unsupported - SA-CONTRIB-2017-027

Biztonsági figyelmeztetések (contrib) - 2017. március 1. 16.50
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-027
  • Project: AES encryption (third-party module)
  • Version: 7.x, 8.x
  • Date: 2017-March-01
Description

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution section for details on how to migrate to a supported and more secure AES encryption module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption module, there is nothing you need to do.

Solution

If you're using the AES only because Drupal Remote Dashboard (DRD) and Drupal Remote Dashboard Server (DRD Server) depend on it, then update to the latest versions of DRD or DRD Server and disable the AES module -- those modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES module:

  • If you don't have a recent backup, make a backup of your site's database and codebase. Consider taking your site offline (e.g. using Drupal's maintenance mode) as some features may not work properly during this upgrade process.
  • Do NOT follow the normal uninstall process for the AES module. The uninstall process would delete your encryption key and make it impossible to recover your data! Instead, disable the module and delete the AES module directory without uninstalling the module.
  • Download and extract the latest release of Real AES
  • Download and extract the latest release of Key
  • Enable the Real AES, Key and AES compatibility modules
  • Use the Key module to create a new 128-bit encryption key with the name "Real AES Key".
  • Clear all your Drupal caches.
  • Modules that depend on AES and store encrypted data will continue to function as normal. They should decrypt and re-encrypt any stored data. The Real AES module provides some functions from the AES module (like, aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.

More detailed instructions available on the AES project page

Also see the AES encryption project page.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026

Biztonsági figyelmeztetések (contrib) - 2017. március 1. 16.43
Description

This module enables you to display one simple location map via Google Maps.

The module doesn't sufficiently sanitize user input in the configuration text fields of the module (allows any tags and does not respect text format configuration).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer locationmap".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • locationmap 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Location Map module, there is nothing you need to do.

Solution

Install locationmap-7.x-2.4

Also see the Location Map project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Biztonsági figyelmeztetések (contrib) - 2017. március 1. 16.34
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-025
  • Project: Remember Me (third-party module)
  • Version: 7.x
  • Date: 2017-March-01
Description

Remember me is a module that allows users to check "Remember me" when logging in.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Remember Me module, there is nothing you need to do.

Solution

If you use the remember_me module for Drupal 7.x you should uninstall it.

Also see the remember_me project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

RestWS - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-024

Biztonsági figyelmeztetések (contrib) - 2017. március 1. 16.31
Description

RestWS makes Drupal Entity data available in a REST API.

The module doesn’t sufficiently check for access to properties when filtering queries.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties. And the attacker can only query on the property equalling a value supplied by the attacker.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • restws 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the restws 2.x module for Drupal 7.x, upgrade to restws 7.x-2.7

Also see the RESTful Web Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

DownloadFile- Critical - Unsupported - SA-CONTRIB-2017-023

Biztonsági figyelmeztetések (contrib) - 2017. február 22. 18.22
Description

DownloadFile is a module to direct download files or images.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed download file module, there is nothing you need to do.

Solution

If you use the download_file module for Drupal 7.x you should uninstall it.

Also see the download file project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Unpublished 404 - Critical - Unsupported - SA-CONTRIB-2017-021

Biztonsági figyelmeztetések (contrib) - 2017. február 22. 18.19
Description

The purpose of this module is to emit a 404 error when a user tries to access a unpublished pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed unpublished 404 module, there is nothing you need to do.

Solution

If you use the unpublished_404 module for Drupal 7.x you should uninstall it.

Also see the unpublished 404 project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

Biztonsági figyelmeztetések (contrib) - 2017. február 22. 18.18
Description

The Views module allows site builders to create listings of various data in the Drupal database.

The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • views 7.x-3.x versions prior to 7.x-3.14.

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the views module for Drupal 7.x, upgrade to views 7.x-3.15

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

Biztonsági figyelmeztetések (contrib) - 2017. február 22. 17.45
Description

This module enables sites to automatically detect and set user timezones via JavaScript.

The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Timezone Detect 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Timezone Detect project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

Biztonsági figyelmeztetések (contrib) - 2017. február 15. 18.21
Description

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks.

The module doesn't sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Metatag 7.x-1.x versions prior to 7.x-1.21.

Drupal core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Metatag project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

RESTful - Moderately Critical - Access Bypass - SA-CONTRIB-2017-018

Biztonsági figyelmeztetések (contrib) - 2017. február 15. 17.55
Description

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn't validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked.

This vulnerability is mitigated by the fact that an attacker must be in possession of the credentials of a previously blocked user. It is also mitigated by the attacker only will have the access corresponding to the roles of the blocked user. Finally this only affects sites that use the sub-module, restful_token_auth.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.8.
  • RESTful 7.x-2.x versions prior to 7.x-2.16.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

Biztonsági figyelmeztetések (contrib) - 2017. február 15. 17.42
Description

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own.

The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not include a token.

This vulnerability is mitigated by the fact that an attacker must be targeting users with the 'clear flags' role. They must also discover a valid combination of flag, content and user IDs for flagged content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All Flag clear module versions prior to 7.x-2.0.

Drupal core is not affected. If you do not use the contributed Flag clear module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Flag clear project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

Biztonsági figyelmeztetések (contrib) - 2017. február 15. 17.30
Description

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system.

The module doesn't sufficiently sanitise the name of the sort option which is displayed to users.

This vulnerability is mitigated by the fact that an attacker must have a role with permission 'administer search_api'.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Search API Sorts 7.x-1.x versions prior to 7.x-1.7

Drupal core is not affected. If you do not use the contributed Search API sorts module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Search API sorts project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x

Hotjar - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-015

Biztonsági figyelmeztetések (contrib) - 2017. február 15. 17.19
Description

This module enables you to add the Hotjar tracking system to your website.

The module doesn't sufficiently sanitize the Hotjar ID when including tracking code.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotjar".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Hotjar 7.x-1.x versions before 7.x-1.2
  • Hotjar 8.x-1.x versions before 8.x-1.0

Drupal core is not affected. If you do not use the contributed Hotjar module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Hotjar module for Drupal 7.x upgrade to Hotjar 7.x-1.2
  • If you use the Hotjar module for Drupal 8.x upgrade to Hotjar 8.x-1.0

Also see the Hotjar project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.xDrupal 8.x