Hírolvasó
File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015
The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox.
This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability leading to Information Disclosure. In uncommon configurations and scenarios, it might lead to Remote Code Execution.
Solution:- If you use File Chooser Field version 7.x-1.x, Upgrade to 7.x-1.13
- Drew Webber of the Drupal Security Team
- George Hazlewood
- Drew Webber of the Drupal Security Team
- aaron.ferris
- Greg Knaddison of the Drupal Security Team
S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014
S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service.
This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.
This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs.
Solution:Install the latest version:
- If you use the S3 File System module for Drupal 8.x, upgrade to s3fs 8.x-3.2
- Greg Knaddison of the Drupal Security Team
Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
This advisory is covered by Drupal Steward.
We would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.
Drupal 7- All Drupal 7 sites on Windows web servers are vulnerable.
- Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.
Drupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.8.
- If you are using Drupal 9.5, update to Drupal 9.5.8.
- If you are using Drupal 9.4, update to Drupal 9.4.14.
- If you are using Drupal 7, update to Drupal 7.96.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By:- Heine of the Drupal Security Team
- Conrad Lara
- Guy Elsmore-Paddock
- Michael Hess of the Drupal Security Team
- Heine of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- xjm of the Drupal Security Team
- Wim Leers
- Damien McKenna of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Conrad Lara
- Peter Wolanin of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Juraj Nemec, provisional member of the Drupal Security Team
- Jen Lampton, provisional member of the Drupal Security Team
- Dave Long of the Drupal Security Team
- Kim Pepper
- Alex Pott of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013
This module enables you to secure any page with a password.
The module does not sufficiently restrict access to the page content.
Solution:Install the latest version:
- If you use the Protected Pages module for Drupal 8/9/10, upgrade to Protected Pages 8.x-1.6
- Greg Knaddison of the Drupal Security Team
Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012
This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.
The module does not sufficiently sanitize some data presented in its reports.
This vulnerability is mitigated by the fact that an attacker must have a role with permissions to administer an impacted content type.
Solution:Install the latest version:
- If you use the Xray Audit module for Drupal 9.x / 10.x, upgrade to Xray Audit v.1.1.1
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Chris McCafferty of the Drupal Security Team
Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported
Solution:If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.
Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.
This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.
This release was coordinated with SA-CORE-2023-002.
Solution:Install the latest version:
- If you use the Media Responsive Thumbnail module, upgrade to Media Responsive Thumbnail 8.x-1.5
- Ivan Vidusenko
- Benji Fisher of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Dave Long of the Drupal Security Team
Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004
Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
- If you are using Drupal 7, update to Drupal 7.95.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Reported By: Fixed By:- Damien McKenna of the Drupal Security Team
- Elar Lang
- Lee Rowlands of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Jen Lampton Provisional Member of the Drupal Security Team
- Nate Lampton
- Greg Knaddison of the Drupal Security Team
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003
The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.
The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.
Reported By: Fixed By:- Jan Kellermann
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Jess of the Drupal Security Team
- Sascha Grossenbacher
- Neil Drumm of the Drupal Security Team
- Dave Long of the Drupal Security Team
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002
The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files.
This release was coordinated with SA-CONTRIB-2023-010.
This advisory is not covered by Drupal Steward.
Solution:Install the latest version:
- If you are using Drupal 10.0, update to Drupal 10.0.5.
- If you are using Drupal 9.5, update to Drupal 9.5.5.
- If you are using Drupal 9.4, update to Drupal 9.4.12.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Media Library module and therefore is not affected.
Reported By: Fixed By:- Lee Rowlands of the Drupal Security Team
- James Williams
- Jess of the Drupal Security Team
- Dave Long of the Drupal Security Team
- Dan Flanagan
- Jen Lampton Provisional Member of the Drupal Security Team
- Joseph Zhao Provisional Member of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009
This module provides a new UI experience for node editing - Gutenberg editor.
This vulnerability can cause DoS by using reusable blocks improperly.
This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it.
Solution:Install the latest version:
- If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008
This module enables you to associate Forums as Group 1.x content and use Group access permissions.
Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics.
Solution:Install the latest version:
- If you use the Group control for forums module for Drupal 9.x or 10.x, upgrade to Group control for forums 2.0.2
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007
Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.
The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing email addresses.
Solution:Install the latest version:
- If you use the thunder distribution for Drupal 9.x and have the thunder_gqls module enabled, upgrade to thunder 6.4.6 or thunder 6.5.3 respectively.
- Greg Knaddison of the Drupal Security Team
Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006
This module enables you to add social sharing buttons to a site.
The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
Solution:Install the latest version:
- If you use the Better Social Sharing Buttons module for Drupal 9 or 10, upgrade to Better Social Sharing Buttons 4.0.3
- Damien McKenna of the Drupal Security Team
