Hírolvasó

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

Biztonsági figyelmeztetések (contrib) - 2018. február 14. 21.34
Project: Entity APIDate: 2018-February-14Security risk: Moderately critical 10∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescription: 

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that an attacker needs to be able to trigger the error condition in a way that protected data is exposed.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012

Biztonsági figyelmeztetések (contrib) - 2018. február 14. 21.27
Project: Entity BackupDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module

Reported By: 

Jean-Francois Hovinne

Fixed By: 

N/A

Coordinated By: 

N/A

Dynamic Banner - Critical - Module Unsupported - SA-CONTRIB-2018-011

Biztonsági figyelmeztetések (contrib) - 2018. február 14. 20.01
Project: Dynamic BannerDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

Dynamic Banner is a module that lightens the load on web developers from creating many blocks for pages with different banners.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module

Reported By: Fixed By: 

N/A

Coordinated By: 

N/A

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

Biztonsági figyelmeztetések (contrib) - 2018. február 14. 19.28
Project: Custom PermissionsVersion: 7.x-2.x-devDate: 2018-February-14Security risk: Moderately critical 14∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables the user to set custom permissions per path.

The module doesn't perform sufficient checks on paths with dynamic arguments (like "node/1" or "user/2"), thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an access bypass vulnerability if the site is relying on the Custom Permissions module to protect those paths.

This vulnerability is mitigated by the fact that it only occurs on sites which attempted to use the Custom Permissions module to protect dynamic paths.

Solution: 

Install the latest version:

After installing the latest version, visit Administration → People → Custom Permissions (admin/people/custom_permissions) and save the form. If it saves with no errors, your site is not vulnerable. However, if an error message is displayed informing you that the module is attempting to protect paths with dynamic arguments that it is unable to protect, your site requires a manual fix; you should reconfigure the site to use a different method to protect these paths (for example, use "node/*" to protect all nodes with the same permission, rather than "node/1" to try to protect only a specific node; or, alternatively, use a node access module to protect the node-related paths with fine-grained access control).

Reported By: Fixed By: Coordinated By: 

VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009

Biztonsági figyelmeztetések (contrib) - 2018. február 14. 16.47
Project: VChessDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

The Drupal VChess module allows users to play a chess game.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module.

Reported By: Fixed By: 

N/A

Coordinated By: 

N/A

Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008

Biztonsági figyelmeztetések (contrib) - 2018. február 7. 19.45
Project: Entity Reference Tab / Accordion FormatterDate: 2018-February-07Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to show referenced entities in tabs.

The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.

Solution: 

Install the latest version:

  • If you use the Entity Reference Tab / Accordion Formatter module for Drupal 8.x, upgrade to 8.x-1.3
Reported By: Fixed By: Coordinated By: 

FileField Sources - Moderately critical - Access Bypass - SA-CONTRIB-2018-007

Biztonsági figyelmeztetések (contrib) - 2018. február 7. 18.50
Project: FileField SourcesDate: 2018-February-07Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources.

Solution: 

Install the latest version:

  • If you use the filefield_sources module provided reference source for Drupal 7.x, upgrade to 7.x-1.11.
Reported By: Fixed By: Coordinated By: 

Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006

Biztonsági figyelmeztetések (contrib) - 2018. január 31. 19.15
Project: Taxonomy Term Reference Tree WidgetDate: 2018-January-31Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7.

The module doesn't sufficiently sanitize the output of its own defined field formatter.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows to edit terms of a taxonomy where the module handles its output.

Solution: 

Install the latest version:

  • If you use the Taxonomy Term Reference Tree Widget module for Drupal 7.x, upgrade to its 7.x-1.11
Reported By: Fixed By: Coordinated By: 

Sagepay - Critical - Access Bypass - SA-CONTRIB-2018-005

Biztonsági figyelmeztetések (contrib) - 2018. január 31. 18.47
Project: SagepayVersion: 7.x-1.4Date: 2018-January-31Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

This module integrates the Sagepay payment service.

Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all payments in a Drupal installation with this module enabled (including payments made using other payment methods).

Solution: 

Install the latest version:

Also see the Sagepay project page.

Reported By: Fixed By: Coordinated By: 

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004

Biztonsági figyelmeztetések (contrib) - 2018. január 24. 19.32
Project: Backup and MigrateDate: 2018-January-24Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to create manual and scheduled backups of a site, and restore the site from backup.

The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

Sites using this module should review the permissions page to verify only trusted users are granted permissions defined by the module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

Biztonsági figyelmeztetések (contrib) - 2018. január 17. 19.46
Project: BibleDate: 2018-January-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:Some/II:All/E:Proof/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to display a Bible on your website. Users can associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title.

A user must have the "Access Bible content" privilege, which is most likely the default if you have enabled this module.

The code appeared to allow other SQL injection vulnerabilities as well. Many lines of code were rewritten to make this module more secure. Therefore, even if you did not give users the "Access Bible content" privilege, there may have been other SQL vulnerabilities which could have been exploited.

Solution: 

Install the latest version:

  • If you use the Bible module for Drupal 7.x, upgrade to Bible 7.x-1.7
Reported By: Fixed By: Coordinated By: 

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

Biztonsági figyelmeztetések (contrib) - 2018. január 10. 19.02
Project: Node View PermissionsVersion: 8.x-1.x-dev7.x-1.x-devDate: 2018-January-10Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page.

This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view.

This issue was fixed by the maintainer outside of the normal security team protocols. Some issues were patched in 2014 for the 7.x version of this module. The 8.x release was updated within the last 6 months. Both are now flagged as security updates.

Solution: 

Install the latest version:

Reported By: Fixed By: 
  • The module maintainer
Coordinated By: 

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

Biztonsági figyelmeztetések (contrib) - 2018. január 10. 18.57
Project: StacksDate: 2018-January-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.
The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.
This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.

Solution: 

Install the latest version:

  • If you use the Stacks module for Drupal 8.x, upgrade to Stacks 8.x-1.1
Reported By: 
  • Jean-François Hovinne
  • Fixed By: 
  • Mauro Vigliotti the module maintainer
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

    Biztonsági figyelmeztetések (contrib) - 2017. december 20. 19.47
    Project: me aliasesDate: 2017-December-20Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary code executionDescription: 

    'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

    The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

    Solution: 

    Install the latest version:

    • If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3
    Reported By: 
  • ross.linscott
  • Fixed By: 
  • Camilo Bravo
  • nohup
  • Michael Hess of the Drupal Security Team
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096

    Biztonsági figyelmeztetések (contrib) - 2017. december 20. 16.06
    Project: Directory based organisational layerDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the Directory based organisational layer tag module for Drupal you should uninstall it.

    Reported By: 

    Jean-Francois Hovinne

    Fixed By: 

    N/A

    ComScore direct tag - Critical - Unsupported - SA-CONTRIB-2017-095

    Biztonsági figyelmeztetések (contrib) - 2017. december 20. 16.00
    Project: ComScore direct tagDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    A simple module to add in the JS for the comScore Direct tag to your Drupal site.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the ComScore Direct tag module for Drupal you should uninstall it.

    Reported By: 

    Balazs Janos Tatar

    Fixed By: 

    N/A

    Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

    Biztonsági figyelmeztetések (contrib) - 2017. december 20. 15.12
    Project: Link Click CountDate: 2017-December-20Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: UnsupportedDescription: 

    The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type.

    The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in cases like this without regard to the severity of the security issue in question. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

    All projects that are being marked unsupported are given a score of critical. Code that is no longer maintained poses a threat to securing sites.

    Solution: 

    If you use the link click count module for Drupal you should uninstall it.

    Reported By: 

    Karthik Kumar D K

    Fixed By: 

    N/A

    Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

    Biztonsági figyelmeztetések (contrib) - 2017. december 13. 19.24
    Project: Panopoly CoreVersion: 7.x-1.x-devDate: 2017-December-13Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

    This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium.

    The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled.

    This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content.

    Solution: 

    Install the latest version:

    Reported By: Fixed By: Coordinated By: 

    Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

    Biztonsági figyelmeztetések (contrib) - 2017. december 6. 20.02
    Project: Node feedbackVersion: 7.x-1.2Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

    This module enables you to set nodes to send feedbacks by personal/site wide contact forms.
    The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms.

    This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Use the site-wide contact form" or "Use users' personal contact forms" which is often assigned to untrusted user roles such as anonymous.

    Solution: 

    Install the latest version:

    Also see the Node feedback project page.

    Reported By: Fixed By: Coordinated By: 

    Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

    Biztonsági figyelmeztetések (contrib) - 2017. december 6. 19.44
    Project: Configuration Update ManagerVersion: 8.x-1.4Date: 2017-December-06Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request Forgery (CSRF)Description: 

    The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

    This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

    This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

    Solution: 

    Install the latest version:

    Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.

    Also see the Configuration Update Manager project page.

    Reported By: Fixed By: Coordinated By: