Hírolvasó

AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

Biztonsági figyelmeztetések (contrib) - 2025. január 15. 16.58
Project: AI (Artificial Intelligence)Date: 2025-January-15Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: >1.0.0 <1.0.2Description: 

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI (from multiple vendors). The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface.

The AI Chatbot module doesn't protect against Cross Site Request Forgeries in the Deepchat chatbot. This could allow an attacker to craft a scenario that can forge a request on behalf of a privileged user. When combined with the AI Search submodule, this could result in the AI Assistant exposing indexed data that the attacker should not have access to. When combined with the external AI Agent module, this could result in the AI Assistant exposing and allowing modification of site configuration of fields, content types, and vocabularies. Sites with custom built agents, with more privileged access, could be at greater risk from an exploit of this vulnerability.

This vulnerability is mitigated by:

  • The targeted user needs to have an active session with a role with the "access deepchat api" permission and permission to assistants.
  • To extract data, the target site must have a permissive CORS policy allowing the attacking site to read the result of a cross origin request.
  • To modify data, the targeted user must have permission to use the configured agents.
Solution: 

Install the latest version:

  • If you use the AI module, upgrade to AI 1.0.2

If you cannot update, you can can uninstall the AI Chatbot sub-module.

Reported By: Fixed By: Coordinated By: 

Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002

Biztonsági figyelmeztetések (contrib) - 2025. január 8. 18.54
Project: Profile PrivateDate: 2025-January-08Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Reported By: Coordinated By: 

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

Biztonsági figyelmeztetések (contrib) - 2025. január 8. 18.22
Project: Email TFADate: 2025-January-08Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.3Description: 

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site.

The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the second factor.

This vulnerability is mitigated by the fact the attacker must be able to present the username and first factor (i.e. password).

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Biztonsági figyelmeztetések (contrib) - 2024. december 11. 17.53
Project: Open SocialDate: 2024-December-11Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <12.3.10 || >=12.4.0 <12.4.9Description: 

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.

During updates from Open Social versions installed prior to 11.8.0 these files were not updated correctly and as a result the module didn't allow access checks to run correctly.

Solution: 

Install the latest version and make sure to run the update hooks.

Reported By: Fixed By: Coordinated By: 

Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075

Biztonsági figyelmeztetések (contrib) - 2024. december 11. 15.31
Project: Allow All File Extensions for file fieldsDate: 2024-December-11Security risk: Critical 18 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074

Biztonsági figyelmeztetések (contrib) - 2024. december 11. 15.27
Project: Git Utilities for DrupalDate: 2024-December-11Security risk: Critical 17 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

Biztonsági figyelmeztetések (contrib) - 2024. december 11. 13.36
Project: Login DisableDate: 2024-December-11Security risk: Critical 16 ∕ 25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=2.0.0 <2.1.1Description: 

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page.

The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass the protection offered by the module.

This vulnerability is mitigated by the fact that an attacker must already have a user account to log in. This bug therefore allows users to log in even if their login is disabled.

Solution: 

Install the latest version:

The Drupal 7 version of the module is not affected.

Reported By: Fixed By: Coordinated By: 

Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

Biztonsági figyelmeztetések (contrib) - 2024. december 11. 08.44
Project: Browser Back ButtonDate: 2024-December-11Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: >=1.0.0 <2.0.2Description: 

This module provides a block that renders a link providing the functionality of a browser's back button.

The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 17.20
Project: Entity Form StepsDate: 2024-December-04Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingAffected versions: <1.1.4Description: 

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins.

The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code.

This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer [entity_type] form display' permission allowing access to configure entity form displays.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 16.51
Project: Minify JSDate: 2024-December-04Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross site request forgeryAffected versions: <3.0.3Description: 

The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website.

Several administrator routes are unprotected against Cross-Site Request Forgery (CRSF) attacks.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 16.13
Project: Download All FilesDate: 2024-December-04Security risk: Critical 16 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:AllVulnerability: Access bypassAffected versions: <2.0.2Description: 

This module provides a field formatter for the field type 'file' called `Table of files with download all link` .

The module had vulnerabilities allowing a user to download files they normally should not be able to download.

Solution: 

Install the latest version:

  • If you use the Download All Files module, upgrade to 2.0.2 version
Reported By: Fixed By: Coordinated By: 

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 15.46
Project: Pages Restriction AccessDate: 2024-December-04Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=2.0.0 <2.0.3Description: 

Module to restrict access from anonymous and regular users to configured pre-defined pages.

The module does not adequately handle protecting certain types of URLs.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 15.40
Project: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client)Date: 2024-December-04Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: >=3.0.0 <3.44.0 || >=4.0.0 <4.0.19Description: 

This module enables you to authenticate users through an Identity Provider (IdP) or OAuth Server, allowing them to log in to your Drupal site.

The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is missing in the response.

Solution: 

Install the latest version:

  • If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 8.x-3.x for Drupal 9 and Drupal 10, upgrade to miniorange_oauth_client 8.x-3.44 .
  • If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 4.x for Drupal 9, Drupal 10 and Drupal 11, upgrade to miniorange_oauth_client 4.0.19.
  • If you use the OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) module 7.x-1.x for Drupal 7, upgrade to miniorange_oauth_client 7.x-1.355.
Reported By: Fixed By: Coordinated By: 

Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 07.56
Project: Print AnythingDate: 2024-December-04Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Reported By: 

Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065

Biztonsági figyelmeztetések (contrib) - 2024. december 4. 07.51
Project: Megamenu FrameworkDate: 2024-December-04Security risk: Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: UnsupportedAffected versions: *Description: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...

Reported By: 

Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064

Biztonsági figyelmeztetések (contrib) - 2024. november 27. 17.41
Project: Tarte au CitronDate: 2024-November-27Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: >=2.0.0 <2.0.5Description: 

This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron.

When Google Tag Manager (GTM) service is enabled, an attacker can load a GTM container that can completely change the page or insert malicious JS.

This vulnerability is mitigated by the fact that the attacker must have a role with the permission "administer tarte au citron".

Solution: 

Install the latest version and confirm only trusted roles have the "Administer Tarte au citron" permission.

Reported By: Fixed By: Coordinated By: 

Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

Biztonsági figyelmeztetések (contrib) - 2024. november 20. 20.11
Project: EloquaDate: 2024-November-20Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionDescription: 

This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.

This vulnerability is mitigated by the fact that an attack must operate with the permission "access administration pages", however this could be the case if this issue were combined with others in an "attack chain".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

Biztonsági figyelmeztetések (contrib) - 2024. november 20. 18.36
Project: MailjetDate: 2024-November-20Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionAffected versions: <4.0.1Description: 

This module for Drupal provides complete control of Email settings with Drupal and Mailjet.

In certain cases the module doesn't securely pass data to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.

This vulnerability is mitigated by the fact that an attack must operate with the permission "administer mailjet module", however this could be the case if this issue were combined with others in an "attack chain".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008

Biztonsági figyelmeztetések (core) - 2024. november 20. 18.29
Project: Drupal coreDate: 2024-November-20Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9Description: 

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.

Solution: 

Install the latest version:

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007

Biztonsági figyelmeztetések (core) - 2024. november 20. 18.27
Project: Drupal coreDate: 2024-November-20Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget chainAffected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8Description: 

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.

Solution: 

Install the latest version:

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: Fixed By: Coordinated By: