Hírolvasó

Project: Advanced VarnishDate: 2024-August-28Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <4.0.11Description: 

This module enables you to cache pages for logged in users at the Varnish level.

The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when guessing such a bin name.

Solution: 

There are two steps. Install the latest version and update your configuration:

1. If you use the Advanced Varnish module for Drupal 4.0.x, upgrade to Advanced Varnish 4.0.11
2. Go to the module configuration page and set an appropriate value to the hashing noise configuration.

Reported By: 

• Heine Deelstra of the Drupal Security Team

Fixed By: 

• Heine Deelstra of the Drupal Security Team
• Alexander Shumenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: OpignoDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it affected only specific activity types.

Solution: 

Install the latest version:

• If you use the opigno module, upgrade to opigno 7.x-1.23

Reported By: 

• Yurii Boichenko
• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Opigno TinCan Question TypeDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission to create or edit "TinCan Package" content type.

Solution: 

Install the latest version:

• If you use the opigno_tincan_question_type module, upgrade to opigno_tincan_question_type 7.x-1.3

Reported By: 

• Juraj Nemec of the Drupal Security Team
• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Juraj Nemec of the Drupal Security Team
• Axel Minck
• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Responsive and off-canvas menuDate: 2024-August-21Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <4.4.4Description: 

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths.

The module doesn't respect custom node access restrictions implemented through hook_ENTITY_TYPE_access hooks meaning the titles of restricted nodes can appear in the menu.

Only sites with modules that implement hook_ENTITY_TYPE_access to restrict access to nodes are effected.

Solution: 

Install the latest version:

• If you use the 4.x branch of the responsive_menu module upgrade to 4.4.4

Reported By: 

• collinhaines

Fixed By: 

• Stephen Cox

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Project: Opigno Learning pathDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: 

The Opigno Learning Path module enables you to manage group content.

Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".

Solution: 

Install the latest version:

• If you use the opigno_learning_path module, upgrade it to opigno_learning_path >= 3.1.2

Reported By: 

• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Axel Minck
• Yuriy Korzhov
• Andrii Aleksandrov
• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Opigno moduleDate: 2024-August-07Security risk: Critical 15∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: 

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.

In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".

Solution: 

Install the latest version:

• If you use the opigno_module module, upgrade to opigno_module >= 3.1.2

Reported By: 

• Marcin Grabias
• catch of the Drupal Security Team

Fixed By: 

• Yurii Boichenko
• Axel Minck
• Yuriy Korzhov
• Andrii Aleksandrov
• catch of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Opigno group managerDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <3.1.1Description: 

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.

An administration form allows execution of arbitrary code.

This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.

Solution: 

Install the latest version:

• If you use the opigno_group_manager module for Drupal 10.x, upgrade to opigno_group_manager 3.1.1

Reported By: 

• catch of the Drupal Security Team
• Marcin Grabias

Fixed By: 

• Yurii Boichenko

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Benji Fisher of the Drupal Security Team

Project: View PasswordDate: 2024-July-31Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingAffected versions: <6.0.4Description: 

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes.

The module doesn't validate the content of classes. A malicious user with access to the View Password Settings Form could add malicious code in the classes field.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer view password".

Solution: 

Install the latest version:

• If you use the View Password module upgrade to View Password 6.0.4.

Reported By: 

• Ide Braakman

Fixed By: 

• Ana Colautti
• Ide Braakman

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: Acquia DAMDate: 2024-June-05Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Denial of ServiceAffected versions: <1.0.13 || >=1.1.0 <1.1.0-beta3Description: 

Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance.

The module doesn't sufficiently protect the ability to disconnect a site from DAM. While disconnected sites do not lose asset data in Drupal, it will prevent site editors from accessing the DAM until a site administrator re-authenticates the site. Some uncached media images may also fail to be fetched while disconnected.

Solution: 

Install the latest version:

• If you use the acquia_dam module for Drupal 9.4 or above, upgrade to Acquia DAM 1.0.13.
• If you use a pre-release version of acquia_dam 1.1, upgrade to Acquia DAM 1.1.0-beta3. (Note: beta releases generally do not receive security coverage.)

Reported By: 

• Matt Glaman

Fixed By: 

• Matt Glaman
• Greg Knaddison of the Drupal Security Team
• Balázs Ertl-Bakos
• Jakob Perry

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team

Project: Migrate queue importerDate: 2024-May-29Security risk: Moderately critical 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <2.1.1Description: 

The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs.

The module doesn't sufficiently protect against Cross Site Request Forgery
under specific scenarios allowing an attacker to enable/disable a cron migration.

This vulnerability is mitigated by the fact that an attacker must know the
id of the migration.

Solution: 

Install the latest version:

• If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1

Reported By: 

• Pierre Rudloff

Fixed By: 

• David Bätge
• Pierre Rudloff

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Image SizesDate: 2024-May-29Security risk: Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <3.0.2Description: 

This module enables you to create responsive image styles that depend on the parent element's width.

The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios.

Solution: 

Install the latest version.

• If you use the Image Sizes module for Drupal 10, upgrade to Image Sizes 3.0.2

Reported By: 

• Dezső Biczó

Fixed By: 

• Dezső Biczó
• Pascal Crott
• Juraj Nemec of the Drupal Security Team

Coordinated By: 

• Juraj Nemec of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Drupal REST & JSON API AuthenticationDate: 2024-May-29Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.13Description: 

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc.

The module doesn't sufficiently control user access when using Basic Authentication.

Solution: 

Install the latest version:

• If you use the 2.0.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13
• If you use the 8.x-1.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13, as the 8.x-1.x branch is now unsupported.

Reported By: 

• Arek Suchecki

Fixed By: 

• solideogloria
• Shashank Thigale
• Arek Suchecki
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Commerce View ReceiptDate: 2024-May-22Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.3Description: 

The Commerce View Receipts module enables you to view commerce order receipts in the browser.

The module doesn't sufficiently check access permissions, allowing a malicious to view the private information of other customers.

Solution: 

Install the latest version.

• If you use the Commerce View Receipts module for Drupal, upgrade to Commerce View Receipts 1.0.3.

Sites may wish to temporarily revoke the "view receipts" permission from most roles until the site can be upgraded to the latest version.

Reported By: 

• Norman Kämper-Leymann

Fixed By: 

• Norman Kämper-Leymann
• Greg Mack
• Greg Knaddison of the Drupal Security Team
• Drew Webber of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• xjm of the Drupal Security Team

Project: Email ContactDate: 2024-May-22Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.4Description: 

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form.

The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is used.

This vulnerability is mitigated by the fact that it requires the "Email contact link" formatter to be used.

Solution: 

Install the latest version:

• If you use the 2.0.x branch, upgrade to email_contact 2.0.4.
• If you use the 8.x-1.x branch, upgrade to email_contact 2.0.4, as the 8.x-1.x branch is now unsupported.

Reported By: 

• Claudiu Cristea

Fixed By: 

• Claudiu Cristea
• Bálint Nagy
• Greg Knaddison of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team
• xjm of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team
• xjm of the Drupal Security Team
• Juraj Nemec of the Drupal Security Team

Project: RESTful Web ServicesDate: 2024-May-15Security risk: Critical 16∕25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:AllVulnerability: Access bypassDescription: 

This module exposes Drupal resources (e.g. entities) as RESTful web services.

The module doesn't sufficiently restrict access for user resources.

Solution: 

Install the latest version:

• If you use the RESTful Web Services module for Drupal 7, upgrade to RESTful Web Services 7.x-2.10

Reported By: 

• Fran Garcia-Linares

Fixed By: 

• Neil Drumm of the Drupal Security Team
• Fran Garcia-Linares

Coordinated By: 

• Neil Drumm of the Drupal Security Team