Hírolvasó

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

Project: Search AutocompleteDate: 2018-October-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-7603Description: 

This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Solution: 

Install the latest version:

Also see the Search Autocomplete project page.

Reported By: Fixed By: Coordinated By: 

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

Biztonsági figyelmeztetések (contrib) - 2018. október 17. 20.16
Project: HTML MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The HTML Mail module lets you theme your messages the same way you theme the rest of your website.

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

  • If you are running Drupal 7.x,
    • update to 7.x-2.71.
    • In case you're still using 7.x-2.65, there is a version 7.x-2.66 which has only the security patch applied, but you must realize that you are running old code and you're missing a number of bug fixes.

Also see the HTML Mail project page.

Reported By: Fixed By: Coordinated By: 

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

Biztonsági figyelmeztetések (contrib) - 2018. október 17. 19.06
Project: Mime MailDate: 2018-October-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments.

The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

Also see the Mime Mail project page.

Reported By: Fixed By: Coordinated By: 

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Biztonsági figyelmeztetések (core) - 2018. október 17. 18.42
  • Advisory ID: DRUPAL-SA-CONTRIB-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17
Description

Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn't have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

Reported by

Fixed by

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

Biztonsági figyelmeztetések (contrib) - 2018. október 17. 18.29
Project: Workbench ModerationDate: 2018-October-17Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published.

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

This issue is related to the Drupal Core release SA-CORE-2018-006.

Solution: 

Install the latest version:

Also see the Drupal core project page.

Reported By: Fixed By: Coordinated By: 

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

Biztonsági figyelmeztetések (contrib) - 2018. október 10. 19.02
Project: NVP fieldDate: 2018-October-10Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

NVP field module allows you to create a field type of name/value pairs, with custom
titles and easily editable rendering with customizable HTML/text surrounding the pairs.

The module doesn't sufficiently handle sanitization of its field formatter's output.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission of creating/editing content where the module defined fields are in use.

Solution: 

Install the latest version:

Also see the NVP field project page.

Reported By: Fixed By: Coordinated By: 

Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065

Biztonsági figyelmeztetések (contrib) - 2018. október 10. 19.01
Project: Search API Solr SearchVersion: 7.x-1.13Date: 2018-October-10Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.

The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leaked as part of the search excerpt.

Solution: 

Install the latest version:

Also see the Search API Solr Search project page.

Reported By: Fixed By: Coordinated By: 

Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064

Biztonsági figyelmeztetések (contrib) - 2018. október 10. 18.57
Project: Lightbox2Version: 7.x-2.x-devDate: 2018-October-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

The Lightbox2 module enables you to overlay images on the current page.

The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting (XSS).

Solution: 

Install the latest version:

Also see the Lightbox2 project page.

Reported By: Fixed By: Coordinated By: 

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

Biztonsági figyelmeztetések (contrib) - 2018. október 3. 20.18
Project: Printer, email and PDF versionsVersion: 7.x-2.x-devDate: 2018-October-03Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: 

This module provides printer-friendly versions of content, including send by e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize the HTML content passed to dompdf, allowing a privileged attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that the site must have either the wkhtmltopdf or dompdf sub-modules enabled and selected as the PDF generation tool. In the case of the dompdf vulnerability, the attacker must be able to write content to the site.

Solution: 

Install the latest version:

  • If you use the print module for Drupal 7.x, upgrade to print 7.x-2.1

In alternative, disable PDF generation, or replace the PDF generation library with another of the supported versions.

Also see the Printer, email and PDF versions project page.

Reported By: Fixed By: Coordinated By: 

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

Biztonsági figyelmeztetések (contrib) - 2018. szeptember 26. 18.34
Project: Commerce Klarna CheckoutVersion: 7.x-1.4Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider

The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step.

Solution: 

Install the latest version:

Also see the Commerce Klarna Checkout project page.

Reported By: Fixed By: Coordinated By: 

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Biztonsági figyelmeztetések (contrib) - 2018. szeptember 26. 18.12
Project: Taxonomy File TreeVersion: 7.x-1.0Date: 2018-September-26Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

Taxonomy File Tree allows site managers to create file trees.

For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file.

This vulnerability only affects sites that use private files.

Solution: 

Install the latest version:

Also see the Taxonomy File Tree project page.

Reported By: Fixed By: Coordinated By: 

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

Biztonsági figyelmeztetések (contrib) - 2018. szeptember 19. 18.02
Project: RenderkitDate: 2018-September-19Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation (e.g. an entity reference field).

The components that display related content do not check if the user has access to view the related entities. This way e.g. unpublished nodes may be displayed to anonymous visitors.

This vulnerability is mitigated by the facts that
- a site builder must have used the component that displays "related" entities for a source entity, using cfr:cfrplugin, OR a programmer has used one of the affected components in code.
- a source entity displayed this way must reference access-restricted content.

Solution: 

Install the latest version:

Also see the Renderkit project page.

Reported By: Fixed By: Coordinated By: 

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

Biztonsági figyelmeztetések (contrib) - 2018. szeptember 5. 19.22
Project: FractionDate: 2018-September-05Security risk: Less critical 5∕25 6/25 ( Less Critical) AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:AllVulnerability: XSS vulnerabilityDescription: 

This module enables you to create fields for storing decimal values as two integers (numerator and denominator) for maximum precision.

The module doesn't sufficiently filter XSS strings out of field labels.

This vulnerability is mitigated by the fact that an attacker must have a role with the ability to manage field configuration.

Solution: 

Install the latest version:

Also see the Fraction project page.

Reported By: Fixed By: Coordinated By: 

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

Biztonsági figyelmeztetések (contrib) - 2018. augusztus 29. 18.27
Project: Bing Autosuggest APIVersion: 7.x-1.x-devDate: 2018-August-29Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to use the Bing Autosuggest API.

The module doesn't sufficiently sanitize a value used to populate an API request.

Solution: 

Install the latest version:

Also see the Bing Autosuggest API project page.

Reported By: Fixed By: Coordinated By: 

Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2018-057

Biztonsági figyelmeztetések (contrib) - 2018. augusztus 29. 18.26
Project: Drupal CommerceVersion: 8.x-2.x-devDate: 2018-August-29Security risk: Moderately critical 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to build eCommerce websites and applications with Drupal.

The module doesn't sufficiently check access for some of its entity types.

Solution: 

Update to Commerce 8.x-2.9.

Reported By: Fixed By: Coordinated By: 

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

Biztonsági figyelmeztetések (contrib) - 2018. augusztus 15. 14.32
Project: File (Field) PathsDate: 2018-August-15Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem.

The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code.

This vulnerability is mitigated by the fact that an attacker must have access to a form containing a widget processed by this module.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

Biztonsági figyelmeztetések (contrib) - 2018. augusztus 8. 19.14
Project: PHP ConfigurationVersion: 8.x-1.07.x-1.0Date: 2018-August-08Security risk: Critical 17∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to add or overwrite PHP configuration on a drupal website.

The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer phpconfig".

After updating the module, it's important to review the permissions of your website and if 'administer phpconfig' permission is given to a not fully trusted user role, we advise to revoke it.

Solution: 

Install the latest version:

Also see the PHP Configuration project page.

Reported By: Fixed By: Coordinated By: 
  • mpotter of the Drupal Security Team

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

Biztonsági figyelmeztetések (core) - 2018. augusztus 1. 20.54
  • Advisory ID: SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01
Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 8.x

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

Biztonsági figyelmeztetések (contrib) - 2018. július 25. 14.38
Project: Select (or other)Date: 2018-July-25Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value.

The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used.

This vulnerability is mitigated by the fact that an attacker must have access to edit a field that is displayed through the "Select or other" formatter.

Solution: 

Also see the Select (or other) project page.

Reported By: Fixed By: Coordinated By: 
  • Michael Hess of the Drupal Security Team
  • XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

    Biztonsági figyelmeztetések (contrib) - 2018. július 18. 17.31
    Project: XML sitemapDate: 2018-July-18Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescription: 

    This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date.

    The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution.

    Solution: 

    Also see the XML sitemap project page.

    Reported By: Fixed By: Coordinated By: