Hírolvasó

Project: Svg ImageDate: 2020-March-25Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.

Solution: 

Install the latest version:

• If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image 8.x-1.10

Also see the Svg Image project page.

Reported By: 

• Dmitry Kiselev

Fixed By: 

• Yaroslav Lushnikov
• Dmitry Kiselev
• Jeroen Tubex

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: CKEditor - WYSIWYG HTML editorDate: 2020-March-18Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The CKEditor module (and its predecessor, FCKeditor module) allows Drupal to replace textarea fields with CKEditor 3.x/4.x (FCKeditor 2.x in case of FCKeditor module) - a visual HTML editor, sometimes called WYSIWYG editor.

Due to the usage of the JavaScript `eval()` function on non-filtered data in admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script which causes Cross Site Scripting (XSS).

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names.

Solution: 

Install the latest version:

• If you use the CKEditor module for Drupal 7.x, upgrade to CKEditor 7.x-1.19

Also see the CKEditor- WYSIWYG HTML editor project page

Reported By: 

• Yonatan Offek

Fixed By: 

• Robert Mikołajuk

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2020-March-18Security risk: Moderately critical 13∕25 AC:Complex/A:User/CI:Some/II:Some/E:Proof/TD:DefaultVulnerability: Third-party libraryDescription: 

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations.

Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site’s users. When multiple people can edit content, the vulnerability can be used to execute XSS attacks against other people, including site admins with more access.

The latest versions of Drupal update CKEditor to 4.14 to mitigate the vulnerabilities.

Solution: 

Install the latest version:

• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.4.
• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.12.

Versions of Drupal 8 prior to 8.7.x have reached end-of-life and do not receive security coverage.

The CKEditor module can also be disabled to mitigate the vulnerability until the site is updated.

Note for Drupal 7 users

Drupal 7 core is not affected by this release; however, users who have installed the third-party CKEditor library (for example, with a contributed module) should ensure that the downloaded library is updated to CKEditor 4.14 or higher, or that CDN URLs point to a version of CKEditor 4.14 or higher. Disabling all WYSIWYG modules can mitigate the vulnerability until the site is updated.

Project: SAML Service ProviderDate: 2020-March-11Security risk: Critical 15∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

This module enables you to authenticate Drupal users using an external SAML Identity Provider.

If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML.

This vulnerability is mitigated by the fact that user accounts created in this way have only default roles, which may not have access significantly beyond that of an anonymous user. To mitigate the vulnerability without upgrading sites could disable public registration.

Solution: 

Install the latest version:

• If you use the SAML Service Provider module for Drupal 8.x, upgrade to SAML Service Provider 8.x-3.7

Also see the SAML Service Provider project page.

Reported By: 

• J Proctor

Fixed By: 

• J Proctor
• James Glasgow

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: SVG FormatterDate: 2020-March-04Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingDescription: 

SVG Formatter module provides support for using SVG images on your website.

This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.

This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files.

Solution: 

Install the latest version:

• If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.12

Also see the SVG Formatter project page.

Reported By: 

• Jeroen Tubex

Fixed By: 

• Goran Nikolovski

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: ProfileDate: 2020-February-19Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access BypassDescription: 

The Profile module enables you to allow users to have configurable user profiles.

The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users.

Solution: 

Install the latest version:

• If you use the Profile module for Drupal 8.x, upgrade to Profile 8.x-1.1

Also see the Profile project page.

Reported By: 

• karl972

Fixed By: 

• Matt Glaman
• Bojan Živanović

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: Views Bulk Operations (VBO)Date: 2020-February-05Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).

Solution: 

Install the latest version:

• If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-3.4
• If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-2.6

Also see the Views Bulk Operations (VBO) project page.

Reported By: 

• Adam Shepherd

Fixed By: 

• Adam Shepherd
• Marcin Grabias

Coordinated By: 

• Greg Knaddison of the Drupal Security Team

Project: SpamSpan filterDate: 2020-January-22Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: 

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them.

This module contains a spamspan twig filter which doesn't sanitize the passed HTML string.

This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpan filter on a field that an attacker could populate. By default the SpamSpan module does not use the vulnerable twig filter.

Solution: 

Install the latest version:

• If you use the SpamSpan module for Drupal 8.x, upgrade to SpamSpan 8.x-1.1

Also see the SpamSpan filter project page.

Reported By: 

• Jeroen Tubex

Fixed By: 

• Jeroen Tubex
• vitalie

Coordinated By: 

• Ben Jeavons of the Drupal Security Team

Project: RadixDate: 2020-January-15Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: 

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.

Solution: 

Install the latest version:

• If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8

Also see the Radix project page.

Reported By: 

• annagaz

Fixed By: 

• David Snopek of the Drupal Security Team

Coordinated By: 

• David Snopek of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-dev7.x-devDate: 2019-December-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: 

The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Solution: 

Install the latest version:

• If you are using Drupal 7.x, upgrade to Drupal 7.69.
• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Reported By: 

• Jasper Mattsson

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Sam Becker
• Jasper Mattsson
• David Rothstein of the Drupal Security Team
• michieltcs
• Ayesh Karunaratne
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Samuel Mortenson of the Drupal Security Team
• Vijaya Chandran Mani Provisional Security Team Member
• Drew Webber of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

Solution: 

• If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

Reported By: 

• Adam G-H

Fixed By: 

• Adam G-H
• Jess of the Drupal Security Team
• Andrei Mateescu
• Greg Knaddison of the Drupal Security Team
• Alex Bronstein of the Drupal Security Team
• Sean Blommaert
• Lee Rowlands of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:DefaultVulnerability: Multiple vulnerabilitiesDescription: 

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Solution: 

Install the latest version:

• If you use Drupal core 8.7.x: 8.7.11
• If you use Drupal core 8.8.x: 8.8.1

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Reported By: 

• Rohit Kapur
• Filipe Reis
• Dan Reif
• mramydnei

Fixed By: 

• Lee Rowlands of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Kim Pepper
• Alex Pott of the Drupal Security Team
• Derek Wright
• Jess of the Drupal Security Team
• David Rothstein of the Drupal Security Team

Project: Drupal coreVersion: 8.8.x-dev8.7.x-devDate: 2019-December-18Security risk: Moderately critical 12∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Denial of ServiceDescription: 

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt.

Solution: 

Install the latest version:

• If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
• If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required.

Reported By: 

• Drew Webber of the Drupal Security Team

Fixed By: 

• Drew Webber of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• Heine of the Drupal Security Team
• Alex Pott of the Drupal Security Team
• Jess of the Drupal Security Team
• Damien McKenna of the Drupal Security Team
• David Snopek of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team