Hírolvasó

Project: Drupal coreDate: 2022-January-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross site scriptingDescription: 

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-20220-001, further security vulnerabilities disclosed in jQuery UI 1.13.0 may affect Drupal 7 only:

• CVE-2021-41182: XSS in the altField option of the Datepicker widget
• CVE-2021-41183: XSS in *Text options of the Datepicker widget

Furthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the jQuery Update module:

• CVE-2016-7103: XSS in closeText option of Dialog
• CVE-2010-5312: XSS in the title option of Dialog (applicable only to the jQuery UI version included in D7 core)

It is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Important note regarding the jQuery Update contrib module

These backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.

However, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.

Please check the jQuery Update project page for more details, and for announcements when the changes are made to supported releases.

Solution: 

Install the latest version:

• If you are using Drupal 7, update to Drupal 7.86

Reported By: 

• Lauri Eskola

Fixed By: 

• Drew Webber of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Lauri Eskola

Project: Drupal coreDate: 2022-January-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:

• CVE-2021-41183: XSS in the of option of the .position() util

It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 9.3, update to Drupal 9.3.3.
• If you are using Drupal 9.2, update to Drupal 9.2.11.
• If you are using Drupal 7, update to Drupal 7.86.

All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: 

• Lauri Eskola

Fixed By: 

• Lauri Eskola
• Chris of the Drupal Security Team
• Drew Webber of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Ben Mullins
• xjm of the Drupal Security Team
• Théodore Biadala

Project: jQuery UI DatepickerDate: 2022-January-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect site using the jQuery UI Datepicker module:

• CVE-2021-41182: XSS in the altField option of the Datepicker widget
• CVE-2021-41183: XSS in *Text options of the Datepicker widget

Solution: 

Install the latest version:

• If you use the jQuery UI Datepicker module for Drupal 9.x, upgrade to jQuery UI Datepicker 8.x-1.2

Reported By: 

• Lauri Eskola

Fixed By: 

• Andrei Ivnitskii
• Ben Mullins
• Lauri Eskola

Project: WysiwygDate: 2022-January-05Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to integrate various What-You-See-Is-What-You-Get (WYSIWYG) rich text editors into Drupal fields with text formats allowing markup for easier editing.

The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. If the editor used has an XSS vulnerability this would allow for example a commenter to put specially crafted markup which could trigger the vulnerability when viewed in the editor by an administrator.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content using a text format with an attached and XSS vulnerable rich text editor.

Solution: 

Install the latest version:

• If you use the Wysiwyg module for Drupal 7.x, upgrade to WYSIWYG 7.x-2.9

After upgrading verify that text formats which have a WYSIWYG editor profile also uses a text filter, such as Core's "Limit allowed HTML tags", if accessible by untrusted users.
A list of known compatible input filters that will be applied is shown when configuring a WYSIWYG editor profile along with a status indicator.

It is recommended to always be using the latest stable version of any installed editor libraries.

Reported By: 

• r0ng

Fixed By: 

• Daniel Kudwien
• Henrik Danielsson
• r0ng
• Wim Leers
• Mori Sugimoto of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Chris of the Drupal Security Team

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2022-January-05Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to implement OAuth 2.0 authentication for Drupal.

The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected.

This vulnerability is mitigated by the fact that the vast majority of OAuth 2.0 clients in the wild are public, not confidential. Furthermore, all affected grant types still require users to authenticate to Drupal during the OAuth flow.

The implicit grant type is insecure for other reasons (and still requires user authentication) and is disabled by default.

Sites at risk of information disclosure would be specifically configured to restrict access based on the OAuth client's confidentiality status and configured scopes, not only traditional Drupal user permissions and roles.

Further mitigation includes configuring allowed redirect URIs for clients. This is an OAuth best practice for guarding against man-in-the-middle attacks on authorization codes, and prevents redirection to imposter clients.

Anyone implementing OAuth 2.0 on their Drupal site is also encouraged to review the relevant RFCs and Internet-Drafts pertaining to OAuth security.

Solution: 

Install the latest version:

• If you use the simple_oauth module for Drupal 9.x, upgrade to simple_oauth-8.x-4.6, 5.0.6 or 5.2.0.

Important note: 8.x-4.6 will be the last release for the 8.x-4.x branch. Support for this major version will end February 28, 2022. The upgrade path to 5.x is easy, supported and well-tested. All users of versions < 5 should upgrade to 5.2.0.

The 5.0.x version will be supported until July 31, 2022. Read the 5.2.0 change record for information about changes to previously non-spec-compliant response codes and messages.

Reported By: 

• Simon Bäse

Fixed By: 

• Brad Jones
• Simon Bäse

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Super LoginDate: 2022-January-05Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to login with an email address.

The module doesn't sufficiently check if a user account is active when using email login.

This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked.

Solution: 

Install the latest version:

• If you use the Super Login module for Drupal 8.x, upgrade to Super Login 8.x-1.7

Reported By: 

• Karthik Kumar D K

Fixed By: 

• 3CWebDev
• Karthik Kumar D K

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Mail LoginDate: 2021-December-22Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This modules enables users to login via email address.

This module does not sufficiently check user status when authenticating.

Solution: 

Install the latest version:

• If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5

Reported By: 

• seroton
• Abhishek Vishwakarma
• Dmitriy.trt

Fixed By: 

• Abhishek Vishwakarma
• Mohammad AlQanneh

Coordinated By: 

• Chris of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Search API PagesDate: 2021-December-08Security risk: Critical 16∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: 

This module enables you to create simple search pages based on Search API without the use of Views.

The module doesn’t sufficiently escape all variables provided for custom templates.

This vulnerability is mitigated by the fact that the default template provided by the module is not affected.

Solution: 

Install the latest version:

• If you use the Search API Pages module for Drupal 7.x, upgrade to Search API Pages 7.x-1.6

Reported By: 

• Duncan Davidson

Fixed By: 

• Damien McKenna of the Drupal Security Team
• Duncan Davidson
• Thomas Seidl
• Joris Vercammen

Coordinated By: 

• Chris of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: WebformDate: 2021-December-08Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Scripting, Access BypassDescription: Access Bypass:

This module enables you to build forms and surveys in Drupal.

The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data. Additionally, for sites with webforms that send emails and store submissions this vulnerability would allow an attacker to use the site as an email relay (i.e. sending arbitrary emails).

There is no mitigation for this vulnerability. If you have the Webform Node module enabled you must update the Webform module.

Cross Site Scripting:

The Webform module enables site builders to create forms and surveys.

The Webform module doesn't sufficiently filter HTML when an element's 'Help title' and an 'Image Select' element's image text contain specially crafted malicious text.

This vulnerability is mitigated by the fact that an attacker must be able to create or edit webforms.

Solution: 

Install the latest version:

• If you use the Webform module for Drupal 9.x, upgrade to Webform 6.1.2 or Webform 6.0.6
• If you use the Webform module version 8.x-5.x it is affected by this issue and is unsupported. You should upgrade to Webform 6.

Reported By: Access Bypass:

• Adam P
• Madelyn Cruz

Cross Site Scripting:

• Rohit Tiwari

Fixed By: Access Bypass:

• Chris McCafferty of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Jacob Rockowitz
• Adam P
• Lee Rowlands of the Drupal Security Team

Cross Site Scripting:

• Jacob Rockowitz

Coordinated By: 

• Chris of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Damien McKenna of the Drupal Security Team

Project: Drupal coreDate: 2021-November-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal.

Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without access to CKEditor themselves) may be able to exploit one or more Cross-Site Scripting (XSS) vulnerabilities to target users with access to the WYSIWYG CKEditor, including site admins with privileged access.

For more information, see CKEditor's security advisories:

• CVE-2021-41165: HTML comments vulnerability allowing to execute JavaScript code
• CVE-2021-41164: Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

• If you are using Drupal 9.2, update to Drupal 9.2.9.
• If you are using Drupal 9.1, update to Drupal 9.1.14.
• If you are using Drupal 8.9, update to Drupal 8.9.20.

Versions of Drupal prior to 9.1.x are end-of-life and do not receive security coverage.

Note that Drupal 8 has reached its end of life so this is the final security release provided for Drupal 8.

Drupal 7 core does not include the CKEditor module and therefore is not affected.

Reported By: 

• Jacek Bogdański coordinated on the release with Drupal project.
• See the CKEditor announcements above for the original reporters of the vulnerabilities.

Fixed By: 

• xjm of the Drupal Security Team
• Wim Leers
• Greg Knaddison of the Drupal Security Team
• Lauri Eskola
• Ted Bowman

Project: OpenID Connect Microsoft Azure Active Directory clientDate: 2021-November-17Security risk: Moderately critical 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access BypassDescription: 

This module enables users to authenticate through their Microsoft Azure AD account.

The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account.

This vulnerability is mitigated by the fact that an attacker must have knowledge of user accounts that have the administrator role or accounts with the 'Set a password for local authentication' permission. In addition the site must be configured with the 'Update email address in user profile' setting turned on.

Solution: 

Install the latest version:

• If you use the OpenID Connect Microsoft Azure Active Directory client module 7.x-1.x, upgrade to OpenID Connect Microsoft Azure Active Directory client 7.x-1.2
• If you use the OpenID Connect Microsoft Azure Active Directory client module 8.x-1.x, upgrade to OpenID Connect Microsoft Azure Active Directory client 8.x-1.4

Reported By: 

• John Kingsnorth

Fixed By: 

• John Kingsnorth
• Lee Rowlands of the Drupal Security Team
• Jesse Payne
• Fabian de Rijk

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Loft Data GridsDate: 2021-October-13Security risk: Moderately critical 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Proof/TD:UncommonVulnerability:  XML External Entity (XXE) ProcessingDescription: 

This module enables aklump/loft_data_grids to be used as a Drupal module.

Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: [CVE-2018-19277]: PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the newer https://github.com/PHPOffice/PhpSpreadsheet library.

This module provides an API and This vulnerability is not exploitable in the module itself. This vulnerability only exists if custom code or another module uses the API of this module to read a spreadsheet.

Solution: 

Upgraded to the the latest version.

• https://www.drupal.org/project/loft_data_grids/releases/7.x-2.4
• https://www.drupal.org/project/loft_data_grids/releases/8.x-1.4

Reported By: 

• Lucas Hedding

Fixed By: 

• Aaron Klump

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team