Hírolvasó

Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: 

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

Solution: 

• If you use the Display Suite module for Drupal 7.x-1.x, upgrade to Display Suite 7.x-1.10
• If you use the Display Suite module for Drupal 7.x-2.x, upgrade to Display Suite 7.x-2.15

Reported By: 

• Liz Pringi

Fixed By: 

• Kristof De Jaeger the module maintainer

Coordinated By: 

• Rick Manelius of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Project: Menu Import and ExportVersion: 8.x-1.0Date: 2018-April-18Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

This module helps in exporting and importing Menu Items via the administrative interface.

The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.

Solution: 

Update to Menu Import and Export 8.x-1.2.

Reported By: 

• Nathan Dentzau

Fixed By: 

• Sandeep Reddy

Coordinated By: 

• Samuel Mortenson of the Drupal Security Team
• Michael Hess of the Drupal Security Team

Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 

• If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
• The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
• If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.

Reported By: 

• Kyaw Min Thein

Fixed By: 

• Marek Lewandowski of the CKEditor team
• Wiktor Walc of the CKEditor team
• Wim Leers
• xjm Of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Daniel Wehner
• Hai-Nam Nguyen
• Matthew Grill

Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 21∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code Execution Description: 

CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

• If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
• If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

• If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply this patch.
• If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply this patch.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Reported By: 

• Jasper Mattsson

Fixed By: 

• Jasper Mattsson
• Samuel Mortenson Provisional Drupal Security Team member
• David Rothstein of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• David Snopek of the Drupal Security Team
• Pere Orga of the Drupal Security Team
• Neil Drumm of the Drupal Security Team
• Cash Williams of the Drupal Security Team
• Daniel Wehner
• Tim Plunkett

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Project: ExifVersion: 8.x-1.x-devDate: 2018-March-21Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to retrieve image metadata and use them in fields or title.

The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

Solution: 

Install the latest version:

• If you use the Exif module for Drupal 8.x, upgrade to Exif 8.x-1.1

Reported By: 

• Jean-Francois Hovinne

Fixed By: 

• jphautin
• Jean-Francois Hovinne

Coordinated By: 

• Damien McKenna

Project: JSON APIVersion: 8.x-1.x-devDate: 2018-March-21Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must be allowed to view the related data, otherwise all they can glean is an entity type UUID and a UUID, which are meaningless by themselves.

Solution: 

Install the latest version:

• If you use the JSON API module for Drupal 8.x, upgrade to JSON API 8.x-1.14

Reported By: 

• Gabe Sullice

Fixed By: 

• Gabe Sullice
• Wim Leers
• Mateu Aguiló Bosch

Coordinated By: 

• Michael Hess Of the Drupal Security Team

Project: JSON APIDate: 2018-February-21Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

• The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability.

  This vulnerability is mitigated by the fact that an attacker cannot trigger an exploitable situation themselves.

• The module doesn't sufficiently check access in certain situations.

  This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

Update: This is fixed in 8.x-1.10 not 8.x-1.9Solution: 

Install the latest version:

• If you use the JSON API module for Drupal 8.x, upgrade to JSON API 8.x-1.10

Reported By: 

• Wim Leers
• Gabe Sullice
• Aaron Clemmer

Fixed By: 

• Wim Leers
• Mateu Aguiló Bosch
• Gabe Sullice

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: CKEditor Upload ImageDate: 2018-February-21Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables you to drag and drop or paste images into CKEditor.
The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server.

Solution: 

Install the latest version:

• If you use the CKEditor Upload Image module for Drupal 8.x, upgrade to CKEditor Upload Image 8.x-1.5

Reported By: 

• Jean-Francois Hovinne

Fixed By: 

• Jean-Francois Hovinne
• Mer
• Greg Knaddison of the Drupal Security Team

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description:  Comment reply form allows access to restricted content - Critical - Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass - Moderately Critical - Drupal 7

When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass - Moderately Critical - Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Install the latest version:

• If you are using Drupal 8 , upgrade to Drupal 8.4.5
• If you are using Drupal 7 , upgrade to Drupal 7.57

Reported By: 

• Comment reply form allows access to restricted content - Critical - Drupal 8
  • Ivan
• JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8)
  • Grant Gaudet
• Private file access bypass - Moderately Critical - Drupal 7
  • Anders Olsson
• jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
  • will c
• Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
  • Ken Rickard
• Settings Tray access bypass - Moderately Critical - Drupal 8
  • Ted Bowman
• External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
  • David Rothstein of the Drupal Security Team

Fixed By: 

• Comment reply form allows access to restricted content - Critical - Drupal 8
  • Ivan
  • Lee Rowlands of the Drupal Security Team
  • David Rothstein of the Drupal Security Team
  • Nathaniel Catchpole of the Drupal Security Team
  • Jess of the Drupal Security Team
  • Wim Leers
  • Ted Bowman
  • Matthew Donadio
  • Tim Plunkett
  • Peter Wolanin of the Drupal Security Team
• JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8)
  • Grant Gaudet
  • Kay Leung
  • Heine Deelstra of the Drupal Security Team
  • Peter Wolanin of the Drupal Security Team
  • David Rothstein of the Drupal Security Team
  • Jess of the Drupal Security Team
  • Cash Williams of the Drupal Security Team
  • Matthew Grill
  • Fatima Sarah Khalid
• Private file access bypass - Moderately Critical - Drupal 7
  • David Rothstein of the Drupal Security Team
  • Lee Rowlands of the Drupal Security Team
  • Jess of the Drupal Security Team
  • Stefan Ruijsenaars of the Drupal Security Team
  • Ken Rickard
• jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
  • Chris McCafferty of the Drupal Security Team
  • Matthew Grill
  • will c
  • David Rothstein of the Drupal Security Team
  • Greg Knaddison of the Drupal Security Team
  • Jess of the Drupal Security Team
  • Alex Bronstein of the Drupal Security Team
• Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
  • Francesco Placella
  • Gábor Hojtsy
  • Michael Schmid
  • Ken Rickard
  • Tobias Zimmermann
  • Jess of the Drupal Security Team
  • Sascha Grossenbacher
• Settings Tray access bypass - Moderately Critical - Drupal 8
  • Ted Bowman
  • Lee Rowlands of the Drupal Security Team
  • Wim Leers
  • Jess of the Drupal Security Team
  • Samuel Mortenson
  • Daniel Wehner
  • David Rothstein of the Drupal Security Team
• External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
  • David Rothstein of the Drupal Security Team
  • Samuel Mortenson

Project: Entity APIDate: 2018-February-14Security risk: Moderately critical 10∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Information DisclosureDescription: 

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability.

This vulnerability is mitigated by the fact that an attacker needs to be able to trigger the error condition in a way that protected data is exposed.

Solution: 

Install the latest version:

• If you use the Entity API module for Drupal 7.x, upgrade to Entity API 7.x-1.9

Reported By: 

• Klaus Purer

Fixed By: 

• Klaus Purer
• Dick Olsson
• Wolfgang Ziegler

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Entity BackupDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module

Reported By: 

Jean-Francois Hovinne

Fixed By: 

N/A

Coordinated By: 

N/A

Project: Dynamic BannerDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

Dynamic Banner is a module that lightens the load on web developers from creating many blocks for pages with different banners.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module

Reported By: 

• Balazs Janos Tatar Provisional Security Team Member

Fixed By: 

N/A

Coordinated By: 

N/A

Project: Custom PermissionsVersion: 7.x-2.x-devDate: 2018-February-14Security risk: Moderately critical 14∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables the user to set custom permissions per path.

The module doesn't perform sufficient checks on paths with dynamic arguments (like "node/1" or "user/2"), thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an access bypass vulnerability if the site is relying on the Custom Permissions module to protect those paths.

This vulnerability is mitigated by the fact that it only occurs on sites which attempted to use the Custom Permissions module to protect dynamic paths.

Solution: 

Install the latest version:

• If you use the Custom Permissions module for Drupal 7.x, upgrade to Custom Permissions 7.x-2.2

After installing the latest version, visit Administration → People → Custom Permissions (admin/people/custom_permissions) and save the form. If it saves with no errors, your site is not vulnerable. However, if an error message is displayed informing you that the module is attempting to protect paths with dynamic arguments that it is unable to protect, your site requires a manual fix; you should reconfigure the site to use a different method to protect these paths (for example, use "node/*" to protect all nodes with the same permission, rather than "node/1" to try to protect only a specific node; or, alternatively, use a node access module to protect the node-related paths with fine-grained access control).

Reported By: 

• David Rothstein of the Drupal Security Team

Fixed By: 

• David Rothstein of the Drupal Security Team
• David Valdez the module maintainer

Coordinated By: 

• David Rothstein of the Drupal Security Team

Project: VChessDate: 2018-February-14Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Module UnsupportedDescription: 

The Drupal VChess module allows users to play a chess game.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Solution: 

Uninstall the module.

Reported By: 

• Daniel Wehner
  

Fixed By: 

N/A

Coordinated By: 

N/A

Project: Entity Reference Tab / Accordion FormatterDate: 2018-February-07Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module enables you to show referenced entities in tabs.

The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.

Solution: 

Install the latest version:

• If you use the Entity Reference Tab / Accordion Formatter module for Drupal 8.x, upgrade to 8.x-1.3

Reported By: 

• Tatar Balazs Janos Provisional Security Team member

Fixed By: 

• Tatar Balazs Janos Provisional Security Team member
• Rakesh James the module maintainer

Coordinated By: 

• Tatar Balazs Janos Provisional Security Team member

Project: FileField SourcesDate: 2018-February-07Security risk: Moderately critical 12∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

This module enables you to upload files to fields via several sources.

The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources.

Solution: 

Install the latest version:

• If you use the filefield_sources module provided reference source for Drupal 7.x, upgrade to 7.x-1.11.

Reported By: 

• Tatar Balazs Janos Provisional Security Team member

Fixed By: 

• Tatar Balazs Janos Provisional Security Team member
• Nate Lampton the module maintainer

Coordinated By: 

• Michael Hess of the Drupal Security Team

Project: Taxonomy Term Reference Tree WidgetDate: 2018-January-31Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: 

This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7.

The module doesn't sufficiently sanitize the output of its own defined field formatter.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows to edit terms of a taxonomy where the module handles its output.

Solution: 

Install the latest version:

• If you use the Taxonomy Term Reference Tree Widget module for Drupal 7.x, upgrade to its 7.x-1.11

Reported By: 

• Tatar Balazs Janos

Fixed By: 

• Tatar Balazs Janos
• Sumit Madan the module maintainer

Coordinated By: 

• Stella Power of the Drupal Security Team

Project: SagepayVersion: 7.x-1.4Date: 2018-January-31Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

This module integrates the Sagepay payment service.

Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all payments in a Drupal installation with this module enabled (including payments made using other payment methods).

Solution: 

Install the latest version:

• If you use the sagepay_paymet module for Drupal 7.x, upgrade to sagepay_payment 7.x-1.5

Also see the Sagepay project page.

Reported By: 

• Roman Zimmermann

Fixed By: 

• Roman Zimmermann

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Backup and MigrateDate: 2018-January-24Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: 

This module enables you to create manual and scheduled backups of a site, and restore the site from backup.

The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.

Sites using this module should review the permissions page to verify only trusted users are granted permissions defined by the module.

Solution: 

Install the latest version:

• If you use the Backup and Migrate module for Drupal 7.x, upgrade to Backup and Migrate 7.x-3.4.

Reported By: 

• John Bickar
• Cash Williams of the Drupal Security Team.

Fixed By: 

• Damien McKenna the module maintainer.
• Alex Andrascu the module maintainer.
• Daniel Pickering the module maintainer.
• Pere Orga of the Drupal Security Team.

Coordinated By: 

• Damien McKenna of the Drupal Security Team.

Project: BibleDate: 2018-January-17Security risk: Critical 17∕25 AC:Basic/A:User/CI:Some/II:All/E:Proof/TD:AllVulnerability: Multiple Vulnerabilities Description: 

This module enables you to display a Bible on your website. Users can associate notes with a Bible version.

This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title.

A user must have the "Access Bible content" privilege, which is most likely the default if you have enabled this module.

The code appeared to allow other SQL injection vulnerabilities as well. Many lines of code were rewritten to make this module more secure. Therefore, even if you did not give users the "Access Bible content" privilege, there may have been other SQL vulnerabilities which could have been exploited.

Solution: 

Install the latest version:

• If you use the Bible module for Drupal 7.x, upgrade to Bible 7.x-1.7

Reported By: 

• jfhovinne

Fixed By: 

• Berend de Boer the module maintainer
• László Csécsy (Boobaa) the module maintainer

Coordinated By: 

• Michael Hess of the Drupal Security Team