Hírolvasó

Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

• If you use the filefield_paths module for Drupal 7.x, upgrade to filefield_paths 7.x-1.1

Reported By: 

• Wayne Eaker
• jasonschweb

Fixed By: 

• Oleh Vehera

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

• If you use the PHP Configuration module for Drupal 7.x, upgrade to PHP Configuration
  7.x-1.1
• If you use the PHP Configuration module for Drupal 8.x, upgrade to PHP Configuration
  8.x-1.1

Also see the PHP Configuration project page.

Reported By: 

• Balazs Janos Tatar Provisional security team member

Fixed By: 

• bappa.sarkar The module maintainer

Coordinated By: 

• mpotter of the Drupal Security Team

• Advisory ID: SA-CORE-2018-005
• Project: Drupal core
• Version: 8.x
• CVE: CVE-2018-14773
• Date: 2018-August-01

Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

Project: Select (or other)Date: 2018-July-25Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access to edit a field that is displayed through the "Select or other" formatter.

Solution: 

• If you use the "Select or other" 7.x-2.x, upgrade to Select or other 7.x-2.24
• If you use the "Select or other" 7.x-3.x, upgrade to Select or other 7.x-3.0-alpha3

Also see the Select (or other) project page.

Reported By: 

• bucefal91

Fixed By: 

• Chris Jansen, the module maintainer

Coordinated By: 

Michael Hess of the Drupal Security Team

Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

Solution: 

• If you use the XML sitemap module for Drupal 7.x, upgrade to XML sitemap 7.x-2.4

Also see the XML sitemap project page.

Reported By: 

• Balazs Janos Tatar Provisional Security Team member

Fixed By: 

• Balazs Janos Tatar
• jtsnow
• Tushar Thatikonda

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Taxonomy Entity QueueDate: 2018-July-18Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: SQL InjectionDescription: 

This module enables you to create an entityqueue based on a taxonomy.

The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries.

This vulnerability is mitigated by the fact that an attacker must have a role with the "administer entity queue taxonomy" permission.

Solution: 

Install the latest version:

• If you use the Taxonomy Entity Queue module for Drupal 7.x, upgrade to Taxonomy Entity Queue 7.x-1.1

Also see the Taxonomy Entity Queue project page.

Reported By: 

• Drew Webber

Fixed By: 

• Bappa Sarkar
• Drew Webber

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: TapestryDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography...

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

• If you use the Tapestry theme for Drupal 7.x, upgrade to Tapestry 7.x-2.2

Also see the Tapestry project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: litejazzDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

• If you use the litejazz theme for Drupal 7.x, upgrade to litejazz 7.x-2.3

Also see the litejazz project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: NewsFlashDate: 2018-July-11Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations.

Solution: 

Install the latest version:

• If you use the NewsFlash theme for Drupal 7.x, upgrade to NewsFlash 7.x-2.6

Also see the NewsFlash project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Beale StreetDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

Solution: 

• If you use the Beale Street theme for Drupal 7.x, upgrade to Beale Street 7.x-1.2

Also see the Beale Street project page.

Reported By: 

• Drew Webber

Fixed By: 

• Kisugi Ai

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: EU Cookie ComplianceDate: 2018-July-11Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module addresses the General Data Protection Regulation (GDPR) that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their personal information.

This module does not sanitize some inputs leading to XSS. This is mitigated by the attacker having the permission "Administer EU Cookie Compliance."

Solution: 

Install the latest version:

• If you use the eu_cookie_compliance module for Drupal 7.x, upgrade to eu_cookie_compliance 7.x-1.24
• If you use the eu_cookie_compliance module for Drupal 8.x, upgrade to eu_cookie_compliance 8.x-1.1

Also see the EU Cookie Compliance project page.

Reported By: 

• Alexander Hass

Fixed By: 

• Sven Berg Ryen
• Alexander Hass

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Commerce Custom Order StatusDate: 2018-July-11Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability:  Cross Site ScriptingDescription: 

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

This vulnerability is mitigated by the fact that an attacker must have a role with the "configure order settings" permission.

Solution: 

Install the latest version:

• If you use the Commerce Custom Order Status module for Drupal 7.x, upgrade to Commerce Custom Order Status 7.x-1.1

Also see the Commerce Custom Order Status project page.

Reported By: 

• bucefal91

Fixed By: 

• bucefal91
• Fabien Leroux

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Universally Unique IDentifierDate: 2018-July-04Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Arbitrary file uploadDescription: 

This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to allow to upload to the file create REST endpoint.

Solution: 

If you use the uuid module for Drupal 7.x, upgrade to uuid 7.x-1.1

Also see the Universally Unique IDentifier project page

Reported By: 

• Gustavo Iñiguez Goia

Fixed By: 

• Manuel Garcia

Coordinated By: 

• Michael Hess Of the Drupal Security Team

Project: TFA Basic pluginsVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms.

The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This weakness does not affect the more common TOTP second factor.

This vulnerability is mitigated by the fact that the site must be configured to use SMS to deliver one-time login codes which is an uncommon configuration.

Solution: 

• If you use the TFA Basic module for Drupal 7.x, upgrade to TFA Basic 7.x-1.1

Also see the TFA Basic plugins project page.

Reported By: 

• Greg Knaddison of the Drupal Security Team

Fixed By: 

• Greg Knaddison of the Drupal Security Team
• Ben Jeavons of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Mass Password ResetVersion: 7.x-1.0Date: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

This module enables you to reset passwords for all users based upon their user role.

The module doesn't use a strong source of randomness, creating weak and predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker, which is a common configuration.

Solution: 

Install the latest version:

• If you use the Mass Password Reset module for Drupal 7.x, upgrade to Mass Password Reset 7.x-1.1.

Also see the Mass Password Reset project page.

Reported By: 

• Greg Knaddison of the Drupal Security Team

Fixed By: 

• Greg Knaddison of the Drupal Security Team
• Mark Shropshire

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Generate Password Version: 7.x-1.x-devDate: 2018-June-27Security risk: Less critical 9∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Insecure RandomnessDescription: 

The Genpass module makes the password field optional (or hidden) on the add new user page (admin & registration). If the password field is not set during registration, the system generates a password.

The module doesn't use a strong source of randomness, creating weak and predictable passwords.

This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker which is a common configuration.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Solution: 

Install the latest version:

• If you use the Genpass module for Drupal 7.x-1.x, upgrade to Genpass 7.x-1.1

Also see the Generate Password project page.

Reported By: 

• Greg Knaddison of the Drupal Security Team

Fixed By: 

• Joel Stein a module maintainer

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Custom TokensDate: 2018-June-13Security risk: Critical 16∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API.

The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer custom tokens".

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Solution: 

Install the latest version and review your permissions.

Note, after upgrading, additional configuration steps required. Sites using this module should review the permissions page at Administration » People » Permissions to verify only trusted users are granted permissions defined by the module such as "administer custom tokens".

• If you use the Custom Tokens module (1.x) for Drupal 7.x, upgrade to Custom Tokens 7.x-1.2.
• If you use the Custom Tokens module (2.x) for Drupal 7.x, upgrade to Custom Tokens 7.x-2.0.

Also see the Custom Tokens project page.

Reported By: 

• Matt Glaman

Fixed By: 

• Ariel Barreiro

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Entity DeleteDate: 2018-June-06Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to delete any types of entities in bulk.

The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process.

The access bypass vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content". There is no additional mitigation for the Cross Site Request Forgery vulnerability.

Solution: 

Install the latest version:

• If you use the Entity Delete module for Drupal 8.x, upgrade to Entity Delete 8.x-1.4

Also see the Entity Delete project page.

Reported By: 

• Balazs Janos Tatar Provisional Security Team Member

Fixed By: 

• Balazs Janos Tatar Provisional Security Team Member
• A Ajay Kumar Reddy

Coordinated By: 

• Balazs Janos Tatar Provisional Security Team Member

Project: AdTego SiteIntel - AdBlocker DetectDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

Solution: 

If you use this project, you should uninstall it.

Reported By: 

• Jean-Francois Hovinne

Project: MollomDate: 2018-June-06Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported projects critical by default.

Solution: 

If you use this project, you should uninstall it.

Reported By: 

• Stéphane Corlosquet

Fixed By: 

N/A

Coordinated By: 

N/A