Hírolvasó

Project: Responsive MenusVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

This module enables you to collapse your sites main menu on mobile, and show a menu toggle button.

The module doesn't sufficiently sanitize configuration settings provided by users which leads to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer responsive menus".

Solution: 

Install the latest version:

• If you use the responsive_menus module for Drupal 7.x, upgrade to responsive_menus 7.x-1.7

Reported By: 

• Ayesh Karunaratne

Fixed By: 

• Joshua Walker

Coordinated By: 

• Michael Hess of the Drupal Security Team
• David Snopek of the Drupal Security Team

Project: Salesforce SuiteDate: 2018-December-05Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure.

This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce record IDs are exposed. Entity content and metadata are appropriately protected. Disclosure of Salesforce ID does not confer any additional privileges.

Solution: 

Install the latest version:

• If you use the Salesforce Suite module for Drupal 8.x, upgrade to Salesforce Suite 8.x-3.1

Also see the Salesforce Suite project page.

Reported By: 

• Oskar Schöldström

Fixed By: 

• Aaron Bauman
• Gabriel Carleton-Barnes

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Password PolicyVersion: 7.x-1.x-devDate: 2018-December-05Security risk: Less critical 9∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceDescription: 

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords.

The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive.

This vulnerability is mitigated by the fact that a site must have the "digit placement" constraint enabled.

Solution: 

Install the latest version:

• If you use the Password Policy module for Drupal 7.x, upgrade to Password Policy 7.x-1.16

Reported By: 

• Michael Sherron

Fixed By: 

• AohRveTPV

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• David Snopek of the Drupal Security Team

Project: Date ReminderDate: 2018-November-28Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module allows registered users to request email reminders to be sent at a specified time before an event.

The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.

This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.

Solution: 

Install the latest version:

• If you use the Date Reminder module for Drupal 7.x, upgrade to Date Reminder 7.x-1.15

Also see the Date Reminder project page.

Reported By: 

• than_nak87

Fixed By: 

• dwillcox
• Balazs Janos Tatar Provisional Security Team member

Coordinated By: 

Balazs Janos Tatar Provisional Security Team member

Project: GatherContentDate: 2018-November-28Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to import and export data from the GatherContent service.

The module didn't properly protect its administrative paths.

Solution: 

• gathercontent 7.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed GatherContent module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the gathercontent module for Drupal 7.x, upgrade to gathercontent 7.x-3.5

Reported By: 

• Francisco Rodriguez

Fixed By: 

• Roland Kovacsics

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: BootstrapVersion: 7.x-3.228.x-3.14Date: 2018-November-28Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

This base theme bridges the gap between Drupal and the Bootstrap Framework.

The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips.

This vulnerability is mitigated by the fact that an attacker must already have the ability to either:

1. Edit/save custom content that supplies a value for the data-target attribute by injecting malicious code.
2. Inject custom markup onto the page that further exploits the data-target attribute by injecting malicious code. This method of attack is highly unlikely if they already have this level of access.

Note: while the base-theme does not provide either of these opportunities to do this out-of-the-box; a custom sub-theme may, however, be susceptible if it didn't sanitize or filter user provided input for XSS properly.

Solution: 

Install the latest version and take additional manual steps (see below).

• If you use the Drupal Bootstrap base-theme for Drupal 7.x, upgrade to 7.x-3.22
• If you use the Drupal Bootstrap base-theme for Drupal 8.x, upgrade to 8.x-3.14

Extra Note:

The vulnerability fixed in the Bootstrap theme releases on Drupal.org is a by-product from forking parts of the external framework's JavaScript code. The external framework's vulnerability was first reported in a public issue and later a fix for this vulnerability was merged into the external framework, however an official release of the external framework has yet to be made.

Users of this theme should take two additional steps:

1. Follow this external framework issue for further information and to keep up-to-date on when you need to upgrade your sub-theme's external framework source. You may consider using the distributed files from the temporary branch master-xmr-v3-fixes until an official release is made.
2. Review any custom code on your site that might have copied from the external framework's vulnerable code.

Also see the Bootstrap project page.

Reported By: 

• Gomez_in_the_South

Fixed By: 

• Mark Carver

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• 
  Samuel Mortenson of the Drupal Security Team

Project: ParagraphsVersion: 8.x-1.4Date: 2018-October-31Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassDescription: 

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users.

The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other contributed modules.

Solution: 

Install the latest version:

• If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs 8.x-1.5

Also see the Paragraphs project page.

Reported By: 

• Sam Becker

Fixed By: 

• Sam Becker
• Alex Pott of the Drupal Security Team
• Sascha Grossenbacher
• Alex Bronstein of the Drupal Security Team
• Mateu Aguiló Bosch
• Miro Dietiker

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Session LimitVersion: 7.x-2.28.x-1.0-beta2Date: 2018-October-31Security risk: Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Insecure Session ManagementDescription: 

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account.

In one configuration of the module, when a user logs in with another session elsewhere already active, the module asks the user which session should be closed before they can proceed with login. The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form.

This vulnerability is mitigated by the fact that an attacker must already be able to intercept the contents of the HTML page to exploit the issue. That ability to intercept may come from Cross Site Scripting. This makes a Cross Site Scripting vulnerability worse than it would normally be.

Solution: 

Install the latest version:

• If you use the Session Limit module for Drupal 7.x, upgrade to 7.x-2.3
• If you use the Session Limit module for Drupal 8.x, upgrade to 8.x-1.0-beta3

Also see the Session Limit project page.

Reported By: 

• Simon Kapadia

Fixed By: 

• John Ennew

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Decoupled RouterVersion: 8.x-1.18.x-1.0Date: 2018-October-31Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label.

The module doesn't sufficiently check access before displaying entity labels. This leads to the display of labels on entities that are not be accessible, for example; titles of unpublished content.

Solution: 

Install the latest version:

• If you use the Decoupled Router module for Drupal 8.x, upgrade to Decoupled Router 8.x-1.2

Also see the Decoupled Router project page.

Reported By: 

• Rainer Friederich

Fixed By: 

• Mateu Aguiló Bosch

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Michael Hess (mlhess) of the Drupal Security Team

Project: Search AutocompleteDate: 2018-October-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-7603Description: 

This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Solution: 

Install the latest version:

• If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-4.8

Also see the Search Autocomplete project page.

Reported By: 

• Simon Kapadia

Fixed By: 

• Dominique CLAUSE

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: HTML MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The HTML Mail module lets you theme your messages the same way you theme the rest of your website.

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

• If you are running Drupal 7.x,
  • update to 7.x-2.71.
  • In case you're still using 7.x-2.65, there is a version 7.x-2.66 which has only the security patch applied, but you must realize that you are running old code and you're missing a number of bug fixes.

Also see the HTML Mail project page.

Reported By: 

• Damien Tournoud

Fixed By: 

• Hans Salvisberg

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Mime MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

• If you use the Mime Mail module for Drupal 7.x, upgrade to Mime Mail 7.x-1.1

Also see the Mime Mail project page.

Reported By: 

• RainbowLyte

Fixed By: 

• sgabe

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

• Advisory ID: DRUPAL-SA-CONTRIB-2018-006
• Project: Drupal core
• Version: 7.x, 8.x
• Date: 2018-October-17

Description

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator

Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.

StateTransitionValidationInterface

An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions

Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

• Roland Kovacsics
• attilatilman

Fixed by

• Jess of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Wim Leers
• Daniel Wehner
• Sam Becker
• Tim Millwood
• Alex Pott of the Drupal Security Team

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

• dyates

Fixed by

• Dave Reid of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Jess of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Ted Bowman Provisional member of the Drupal Security Team

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

• Brian Osborne

Fixed by

• Michael Hess of the Drupal Security Team
• Wim Leers
• Alex Pott of the Drupal Security Team
• Grant Gaudet
• Lee Rowlands of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Jess of the Drupal Security Team

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

• Damien Tournoud

Fixed by

• Lee Rowlands of the Drupal Security Team
• Sascha Grossenbacher
• Daniel Wehner
• Klaus Purer
• Damien Tournoud
• Stefan Ruijsenaars of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• David Snopek of the Drupal Security Team
• Jess of the Drupal Security Team
• Wim Leers
• Peter Wolanin of the Drupal Security Team
• Ted Bowman Provisional member of the Drupal Security Team

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

• Nick Booher

Fixed by

• Lee Rowlands of the Drupal Security Team
• Nick Booher
• Samuel Mortenson of the Drupal Security Team
• Wim Leers
• Alex Pott of the Drupal Security Team

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

• If you are running 7.x, upgrade to Drupal 7.60.
• If you are running 8.6.x, upgrade to Drupal 8.6.2.
• If you are running 8.5.x or earlier, upgrade to Drupal 8.5.8.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

Project: Workbench ModerationDate: 2018-October-17Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

• If you use the Workbench Moderation module for Drupal 8.x, upgrade to Workbench Moderation 8.x-1.4

Also see the Drupal core project page.

Reported By: 

• Roland Kovacsics

Fixed By: 

• Wim Leers
• Daniel Wehner
• Sam Becker
• Tim Millwood
• Alex Pott of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team

Project: NVP fieldDate: 2018-October-10Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

NVP field module allows you to create a field type of name/value pairs, with custom
titles and easily editable rendering with customizable HTML/text surrounding the pairs.

The module doesn't sufficiently handle sanitization of its field formatter's output.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission of creating/editing content where the module defined fields are in use.

Solution: 

Install the latest version:

• If you use the NVP field module for Drupal 7.x, upgrade to NVP field 7.x-1.1

Also see the NVP field project page.

Reported By: 

• Balazs Janos Tatar Provisional Security Team Member

Fixed By: 

• John Avery

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Search API Solr SearchVersion: 7.x-1.13Date: 2018-October-10Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leaked as part of the search excerpt.

Solution: 

Install the latest version:

• If you use the Search API Solr Search module for Drupal 7.x, upgrade to Search API Solr Search 7.x-1.14

Also see the Search API Solr Search project page.

Reported By: 

• Ronino

Fixed By: 

• Thomas Seidl
• Markus Kalkbrenner
• Ronino

Coordinated By: 

• Michael Hess of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Lightbox2Version: 7.x-2.x-devDate: 2018-October-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lightbox2 module enables you to overlay images on the current page.

The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting (XSS).

Solution: 

Install the latest version:

• If you use the Lightbox2 module for Drupal 7.x, upgrade to Lightbox2 release 7.x-2.11

Also see the Lightbox2 project page.

Reported By: 

• emf

Fixed By: 

• joseph.olstad
• Stella Power of the Drupal Security Team

Coordinated By: 

• David Stoline of the Drupal Security Team

Project: Printer, email and PDF versionsVersion: 7.x-2.x-devDate: 2018-October-03Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize the HTML content passed to dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF generation tool. In the case of the dompdf vulnerability, the attacker must be able to write content to the site.

Solution: 

Install the latest version:

• If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1

In alternative, disable PDF generation, or replace the PDF generation library with another of the supported versions.

Also see the Printer, email and PDF versions project page.

Reported By: 

• yoloClin

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• João Ventura
• yoloClin

Coordinated By: 

• Lee Rowlands of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Commerce Klarna CheckoutVersion: 7.x-1.4Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider

The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step.

Solution: 

Install the latest version:

• If you use the Commerce Klarna Checkout module for Drupal 7.x, upgrade to Commerce Klarna Checkout 7.x-1.5

Also see the Commerce Klarna Checkout project page.

Reported By: 

• Josef Gullström

Fixed By: 

• Eirik Morland
• Josef Gullström

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Taxonomy File TreeVersion: 7.x-1.0Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Taxonomy File Tree allows site managers to create file trees.

For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file.

This vulnerability only affects sites that use private files.

Solution: 

Install the latest version:

• If you use the Taxonomy File Tree module for Drupal 7.x, upgrade to Taxonomy File Tree 7.x-1.1

Also see the Taxonomy File Tree project page.

Reported By: 

• Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

• James Aparicio
• Nathaniel Catchpole of the Drupal Security Team
• Francesco Placella

Coordinated By: 

• Greg Knaddison of the Drupal Security Team