Hírolvasó

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

Biztonsági figyelmeztetések (contrib) - 2023. február 1. 17.13
Project: Apigee EdgeDate: 2023-February-01Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.

Solution: 

Install the latest version:

  • If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.8
  • If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27
Reported By: Fixed By: Coordinated By: 

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

Biztonsági figyelmeztetések (contrib) - 2023. január 18. 18.49
Project: Media Library Form API ElementVersion: 8.x-1.38.x-1.28.x-1.1Date: 2023-January-18Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureAffected versions: >=2.0 <2.0.6Description: 

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

Solution: 

Install the latest version:

  • If you use the Media Library Form API Element module versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
  • If you use the Media Library Form API Element module version 8.x-1.* they are all affected and are no longer supported. You should upgrade to 2.0.6.
Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Biztonsági figyelmeztetések (core) - 2023. január 18. 18.40
Project: Drupal coreDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.10 || >=9.5.0 <9.5.2 || >=10.0.0 <10.0.2Description: 

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media Library module and therefore is not affected.

Reported By: Fixed By: 

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

Biztonsági figyelmeztetések (contrib) - 2023. január 18. 18.36
Project: Media Library BlockDate: 2023-January-18Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: >=1.0 <1.0.4Description: 

The Media Library Block module allows you to render a media entity in a block.

The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.

Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

Biztonsági figyelmeztetések (contrib) - 2023. január 18. 18.28
Project: Entity BrowserDate: 2023-January-18Security risk: Moderately critical 12∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: 

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Biztonsági figyelmeztetések (contrib) - 2023. január 11. 18.15
Project: Private Taxonomy TermsDate: 2023-January-11Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

Biztonsági figyelmeztetések (contrib) - 2022. december 14. 16.47
Project: File (Field) PathsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.

This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Biztonsági figyelmeztetések (contrib) - 2022. december 14. 16.34
Project: H5P - Create and Share Rich Content and ApplicationsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Solution: 

Install the latest version:

  • If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51
Reported By: 

Disclosed publicly.

Fixed By: Coordinated By: 

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

Biztonsági figyelmeztetések (contrib) - 2022. december 7. 20.12
Project: Entity RegistrationDate: 2022-December-07Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=7.1.0 <7.1.9Description: 

This module enables you to create registration entities related to nodes.

The module doesn't sufficiently restrict update access to a user's own registrations.

This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.

Solution: 

Install the latest version:

Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.

Reported By: Fixed By: Coordinated By: Reported at: 20 November 2022

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Biztonsági figyelmeztetések (contrib) - 2022. november 30. 16.34
Project: Open SocialDate: 2022-November-30Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1Description: 

Social Private Message module allows users on the platform to allow users to send private messages to each other.

The module does not properly perform the correct access checks for certain operations.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Biztonsági figyelmeztetések (contrib) - 2022. november 30. 16.28
Project: Open SocialDate: 2022-November-30Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1Description: 

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations.

In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only (secret)" visibility, community groups are visible to anonymous users on the /all-groups page. No other group information is revealed since group access is not affected by this issue.

This vulnerability is mitigated by creating a Flexible Group with visibility "Group members only (secret)".

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060

Biztonsági figyelmeztetések (contrib) - 2022. november 30. 16.20
Project: Social BaseDate: 2022-November-30Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=2.3 <2.3.4 || >=2.4 <2.4.3Description: 

The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.

When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.

The link to groups was rendered without sufficiently checking that the viewing user has access to the group. When creating public content in a non-public group this could lead to exposing the existence of the group and the group title to unauthorized users. The group itself remained inaccessible.

Solution: 

Install the latest version:

  • If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.4.3
  • If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.3.4
Reported By: Fixed By: Coordinated By: 

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Biztonsági figyelmeztetések (contrib) - 2022. október 19. 22.28
Project: Search APIDate: 2022-October-19Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: