Hírolvasó

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

Biztonsági figyelmeztetések (contrib) - 2022. szeptember 28. 18.29
Project: S3 File SystemDate: 2022-September-28Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to utilize S3-compatible storage as a Drupal filesystem.

The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.

This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

Biztonsági figyelmeztetések (core) - 2022. szeptember 28. 18.24
Project: Drupal coreDate: 2022-September-28Security risk: Critical 18∕25 AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:AllVulnerability: Multiple vulnerabilitiesAffected versions: >= 8.0.0 <9.3.22 || >= 9.4.0 <9.4.7CVE IDs: CVE-2022-39261Description: 

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity.

Drupal core's code extending Twig has also been updated to mitigate a related vulnerability.

Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of other files on the server, or database credentials.

The vulnerability is mitigated by the fact that an exploit is only possible in Drupal core with a restricted access administrative permission. Additional exploit paths for the same vulnerability may exist with contributed or custom code that allows users to write Twig templates.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include Twig and therefore is not affected.

Reported By: Fixed By: 

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

Biztonsági figyelmeztetések (contrib) - 2022. szeptember 7. 19.06
Project: Permissions by TermVersion: 3.1.18Date: 2022-September-07Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished nodes.

This vulnerability is mitigated by the fact that it only affects sites with translated content.

Solution: 

Install the latest version:

  • If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19
Reported By: Fixed By: Coordinated By: 

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055

Biztonsági figyelmeztetések (contrib) - 2022. szeptember 7. 19.04
Project: Permissions by TermVersion: 3.1.173.1.163.1.153.1.143.1.133.1.123.1.113.1.103.1.93.1.83.1.73.1.63.1.53.1.43.1.33.1.23.1.13.1.03.0.13.0.0Date: 2022-September-07Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to restrict content via taxonomy terms and related permissions.

The module doesn't sufficiently restrict cached content in certain circumstances.

This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module.

Solution: 

Install the latest version:

  • If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19
Reported By: Fixed By: Coordinated By: 

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Biztonsági figyelmeztetések (contrib) - 2022. szeptember 7. 18.57
Project: Next.jsVersion: 1.2.01.1.01.0.0Date: 2022-September-07Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.

Solution: 

If you use the Next.js module for Drupal 9.x:

  1. Upgrade to version v1.3.0.
  2. Edit the Next.js user and assign all roles that can be used as scopes. The granted roles will be filtered based on roles assigned to the current user.

See the upgrade guide at https://next-drupal.org/docs/upgrade-guide.

Reported By: Fixed By: Coordinated By: 

Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

Biztonsági figyelmeztetések (contrib) - 2022. augusztus 24. 20.21
Project: Commerce ElavonVersion: 8.x-2.28.x-2.18.x-2.08.x-2.0-beta28.x-2.0-beta17.x-1.47.x-1.37.x-1.27.x-1.17.x-1.0Date: 2022-August-24Security risk: Moderately critical 11∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <=2.2.0Description: 

This module enables you to accept payments from the Elavon payment provider.

The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon (On-site) payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.

This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

Biztonsági figyelmeztetések (contrib) - 2022. augusztus 10. 17.09
Project: jQuery UI CheckboxradioVersion: 8.x-1.38.x-1.28.x-1.18.x-1.0Date: 2022-August-10Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:UncommonVulnerability: Cross site scriptingDescription: 

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).

As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed following security issue that may affect sites using the jQuery UI Checkboxradio module:

Solution: 

Install the latest version. If you use the jQuery UI Checkboxradio module for Drupal 9, upgrade to:

Reported By: 
  • Benji Fisher, provisional member of the Drupal Security Team
Fixed By: Coordinated By: 
  • xjm of the Drupal Security Team

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

Biztonsági figyelmeztetések (contrib) - 2022. július 27. 19.07
Project: TagifyVersion: 1.0.41.0.31.0.2-beta11.0.1-beta11.0.0-beta1Date: 2022-July-27Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:None/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution: 

Install the latest version:

  • If you use the Tagify module for Drupal 9.x, upgrade to Tagify 1.0.5
Reported By: Fixed By: Coordinated By: 

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

Biztonsági figyelmeztetések (contrib) - 2022. július 27. 19.03
Project: PDF generator APIVersion: 2.2.12.2.02.1.02.0.0Date: 2022-July-27Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to generate PDF versions of content.

Some installations of the module make use of the dompdf/dompdf third-party dependency.

Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes.

Solution: 

Install the latest version:

  • If you use the pdf_api module for Drupal 2.x, upgrade to pdf_api 2.2.2
Reported By: Fixed By: Coordinated By: 

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Biztonsági figyelmeztetések (contrib) - 2022. július 27. 18.59
Project: ContextVersion: 7.x-3.107.x-3.97.x-3.87.x-3.77.x-3.67.x-3.57.x-3.47.x-3.37.x-3.27.x-3.17.x-3.07.x-3.0-rc17.x-3.0-beta77.x-3.0-beta67.x-3.0-beta57.x-3.0-beta47.x-3.0-beta37.x-3.0-beta27.x-3.0-beta17.x-3.0-alpha37.x-3.0-alpha27.x-3.0-alpha1Date: 2022-July-27Security risk: Moderately critical 12∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Biztonsági figyelmeztetések (core) - 2022. július 20. 17.41
Project: Drupal coreDate: 2022-July-20Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media module and therefore is not affected.

Reported By: 
  • Heine of the Drupal Security Team
Fixed By: 

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Biztonsági figyelmeztetések (core) - 2022. július 20. 17.40
Project: Drupal coreDate: 2022-July-20Security risk: Critical 15∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionDescription: 

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Auditing your files directory's .htaccess to ensure it has not been overwritten or overridden in a subdirectory

If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:

find ./ -name ".htaccess" -print

Drupal automatically creates .htaccess files like the following in the root of the public files directory:

# Turn off all options we don't need. Options -Indexes -ExecCGI -Includes -MultiViews # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php7.c> php_flag engine off </IfModule> <IfModule mod_php.c> php_flag engine off </IfModule>

Check with your system administrator for the correct .htaccess configuration for the given files directory.

This advisory is not covered by Drupal Steward.

Reported By: Fixed By: 

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Biztonsági figyelmeztetések (core) - 2022. július 20. 17.35
Project: Drupal coreDate: 2022-July-20Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Reported By: Fixed By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

Biztonsági figyelmeztetések (core) - 2022. július 20. 17.34
Project: Drupal coreDate: 2022-July-20Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: Fixed By: 

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

Biztonsági figyelmeztetések (contrib) - 2022. július 13. 17.44
Project: Entity PrintDate: 2022-July-13Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Multiple: Remote Code Execution, Information disclosureDescription: 

This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0

See the library release notes for more detail: https://github.com/dompdf/dompdf/releases/tag/v2.0.0

Note on 3rd party vulnerabilities

This security advisory corresponds to a 3rd party vulnerability. Normally the Drupal Security Team would not issue advisories related to 3rd party code that is shipped separately from a module per our policy (most recent update is PSA-2019-09-04). In this case, because the module required a specific version and could not be updated without a change to the Drupal module we do issue an advisory.

Solution: 

Install the latest version (8.x-2.6) of this module and update dompdf/dompdf at the same time. It is recommended to use composer to do the update using commands similar to the following:

composer update drupal/entity_print
composer require dompdf/dompdf:~2 Reported By: Fixed By: Coordinated By: 

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

Biztonsági figyelmeztetések (contrib) - 2022. június 29. 19.25
Project: Config TermsDate: 2022-June-29Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Access bypassDescription: 

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution: 

Install the latest version:

Reported By: Fixed By: 

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

Biztonsági figyelmeztetések (contrib) - 2022. június 29. 18.51
Project: Lottiefiles FieldDate: 2022-June-29Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.

The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Biztonsági figyelmeztetések (core) - 2022. június 10. 21.39
Project: Drupal coreDate: 2022-June-10Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Third-party librariesCVE IDs: CVE-2022-31042CVE-2022-31043Description: 

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: Fixed By: